The Department of Defense today announced two initiatives based on the past success of Hack the Pentagon and aimed at increasing vulnerability reporting opportunities: a Vulnerability Disclosure Policy and Hack the Army.
“The Vulnerability Disclosure Policy is a ‘see something, say something’ policy for the digital domain,” said Secretary of Defense Ash Carter. “We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”
This policy applies to the DoD’s public-facing systems and commits the department to working openly and in good faith with cybersecurity researchers.
The Department of Justice’s criminal division was consulted on the policy’s development and Assistant Attorney General Leslie Caldwell described it as “a laudable way to help computer security researchers use their skills in an effective, beneficial, and lawful manner to reduce security vulnerabilities.”
The second initiative, “Hack the Army,” adds to the incentives for discovering DoD vulnerabilities by offering a bug bounty to researchers. Approximately 500 hackers are expected to participate to address the vulnerabilities of operationally relevant websites, such as recruiting sites, and could receive thousands of dollars in reward.
“As secretary of the Army, the security of these foundational systems is incredibly important to me, and security is everyone’s responsibility,” Secretary of the Army Eric Fanning said. “We need as many eyes and perspectives on our problem sets as possible and that’s especially true when it comes to securing the Army’s pipeline to future soldiers.”
According to the DoD press release, the goal is to have the Vulnerability Disclosure Policy to encourage general security aid while the Hack the Army program focuses efforts on high-priority systems.