Shifting the Tide: DoD’s new Vulnerability Disclosure Policy
How “Hack the Pentagon” follow-up efforts are strengthening and changing the DoD’s security landscape.
By Lisa Wiswell, Defense Digital Service and Charley Snyder, OSD Policy
Every day at the Department of Defense (DoD), a perpetual conflict takes place between hackers seeking to gain access to our networks and our defenders seeking to keep them out. About a year ago, we began to brainstorm ways to fundamentally shift this dynamic in favor of DoD. Increasingly, major corporations supplement their in-house security talent by engaging with the far larger talent pool of security researchers across the globe — so why couldn’t we?
We embarked on an effort to engage this community to help spot vulnerabilities in DoD networks before malicious hackers could. Earlier this year, we successfully completed that pilot, called Hack the Pentagon, and followed it up with initiatives to make engagement with the security researcher community a permanent part of DoD’s approach to security. Who says government can’t move quickly?
Hack the Pentagon proved to many in the government that the hacker community could make positive contributions to our security — and that caricatures about dangerous, childish lawbreakers weren’t accurate. The pilot was a huge success — 138 real vulnerabilities were discovered and disclosed to us in three weeks. Hack the Pentagon vividly illustrated that hackers and the government can and should work together. Both sides were conscientious, collaborative, and totally dedicated to ensuring the pilot was a success.
This spirit of cooperation gave us the proof we needed to make a broader pitch to institutionalize crowdsourced solutions for our security within the Department of Defense and the wider government. In the past few weeks, these pieces have come together for DoD.
New Vulnerability Disclosure Policy
On November 21, the Secretary of Defense announced a Vulnerability Disclosure Policy covering all Department of Defense websites. For the first time, someone who uncovers a security issue on a DoD website will have clear guidance on how to disclose that vulnerability. Even better, the vulnerability disclosure policy will reduce the legal uncertainty that can serve as a chilling effect on Internet security research. That’s one reason why the Department of Justice is also a fan of this initiative. As the owner of a large percentage of the Internet’s address space, we want to do our part to encourage research into the health of the Internet.
We hope that this policy will yield a steady stream of disclosures, allowing us to find and fix issues faster. The net effect is that the Department of Defense, our Service members, and the public will be safer and more secure. So far, the reception has been fantastic — the same collaborative spirit that made Hack the Pentagon such a success has carried over into this effort.
Hack the Army & Future Bug Bounties
Although the new vulnerability disclosure policy covers all DoD websites, we also want to sponsor focused challenges on specific networks and systems, so we are also bringing bug bounties back! When we announced the vulnerability disclosure policy, we also opened registration for the Hack the Pentagon follow-on, called Hack the Army announced by Secretary of the Army, Eric Fanning on Veterans Day. This challenge is focused on Army websites that support recruiting, and it is the first of many more bounties to come.
We contracted with HackerOne for large, open challenges like Hack the Army, and we’ve partnered with Synack to conduct private challenges against more sensitive assets like internal systems, embedded devices, and source code. This way, we can reap the benefits of crowdsourced vulnerability discovery and disclosure across the full range of DoD technologies, and all DoD Components have the ability to leverage these contracts to host their own bounties.
All of these parts fit together to create a healthier ecosystem for security. We hope to create a feedback loop where hackers are encouraged to point out flaws and receive recognition for their contributions — enhancing the government’s security and cementing the reputation of security researchers as a critical element of Internet security. We believe that these efforts represent a positive example of government adopting best practices from industry and moving an idea from concept to execution fairly rapidly.
We hope that efforts like this can lead to deeper civic engagement where everyone has the opportunity to directly serve their country to solve shared challenges. Not everyone wants to put on a uniform, fill out a security clearance form, or move to Washington, DC, but Hack the Pentagon showed that people will help their government if they are treated with respect and given an avenue to do so.
As we move forward with these initiatives, we are committed to making our government more open, innovative, and engaged with private citizens. We’ll continue to listen to feedback as we work to improve, so please let us know how we’re doing and what we can do better!