The US Department of Defense (DoD) has published its first vulnerability disclosure policy which sets out the rules for hackers to avoid a lawsuit or a visit from police.
The new disclosure policy covers bugs found in any of DoD’s public facing systems, and offers researchers guidance on what they can do and should not do while probing DoD systems for bugs.
This includes agreeing not to actually exploit its systems beyond what’s needed to prove a bug exists, not siphoning out data and not exposing the privacy of any DoD personnel. Denial of service testing and spear-phishing employees is also not permitted.
“We hope that this policy will yield a steady stream of disclosures, allowing us to find and fix issues faster. The net effect is that the Department of Defense, our service members, and the public will be safer and more secure,” said secretary of Defense, Ash Carter.
Bugs reported under the DoD’s new disclosure policy will not be rewarded with the cash, however DoD is also getting ready to launch a targeted bounty called Hack the Army that will pay rewards.
Carter said the new bounty was the first of “many more bounties to come” that will direct external hackers towards specific groups of systems over time.
The department on Monday started taking applications for new bug bounty, building on its Hack the Pentagon pilot in April. The pilot bounty attracted 1,410 participants and generated 138 valid reports, with the first bug found within 13 minutes.
Hack the Army, which was announced earlier this month, will accept up to 500 hackers who will be invited to finds bugs in a list of approved websites and databases.
“Hack the Army represents a significant step forward from Hack the Pentagon in that the Army websites offered up to hackers will be more dynamic, rather than simply static websites that aren’t operationally significant. These sites are critical to the Army’s recruiting mission, and as a result must be hardened,” said Carter.
The new bounty starts on November 30 and wraps up on December 21. As with Hack the Pentagon, DoD is running the Army bounty on HackerOne’s platform. Participants must at least be authorized to work within the US to be eligible. To receive a reward, which could be thousands of dollars, hackers will need to undergo a criminal background check.
As part of the wider disclosure program, DoD promises to coordinate a fix with researchers as quickly as possible. It has committed to acknowledging each report within three days.
If researchers stick to the rules they can expect not to face a civil lawsuit from the DoD or be investigated by law enforcement.
“If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) DoD will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than DoD, DoD will take steps to make known that your activities were conducted pursuant to and in compliance with this policy,” the document states.
Any research conducted on non-DoD systems could still result in legal action, depending on how the agency chooses to handle the incident.