Friday, May 10, 2024
Friday, May 10, 2024
The Defense Department has announced a new legal avenue for security researchers to find and disclose cyber vulnerabilities in any public-facing DOD systems.
"This policy is the first of its kind for the department," according to a Pentagon statement. "It provides clear guidance to security researchers for testing and disclosing vulnerabilities in DOD websites, and commits the department to working openly and in good faith with researchers."
Defense Secretary Ash Carter called the new initiative a "'see something, say something' policy for the digital domain," according to the statement.
"We want to encourage computer security researchers to help us improve our defenses," Carter said. "This policy gives them a legal pathway to bolster the department's cybersecurity and ultimately the nation's security."
Assistant Attorney General Leslie Caldwell described the effort as "a laudable way to help computer security researchers use their skills in an effective, beneficial, and lawful manner to reduce security vulnerabilities."
The new policy was announced simultaneously with a "Hack the Army" challenge, which follows the template laid out by the "Hack the Pentagon" challenge which concluded in June.
"The Vulnerability Disclosure Policy will provide a standing avenue of reporting for all DOD websites, whereas bug bounties like 'Hack the Army' will provide incentives to researchers to focus on specific high-priority DOD networks and systems," according to the statement.
Details on the initiatives can be found at HackerOne.com/DeptOfDefense and HackerOne.com/HacktheArmy.