After the huge success of the “Hack the Pentagon” bug bounty pilot, organized for the hackers across the country to report and find vulnerabilities in Department of Defense networks in return for huge cash payments, The Department of Defense has launched two unique initiatives to further strengthen the cybersecurity of DOD.
The US Department of Defense (DoD) and HackerOne have collaborated officially a bug bounty program where researchers will have all the freedom to report bugs or flaws they discover in its websites without any fear of prosecution.
"This policy is a first of its kind for the US Government," HackerOne says. "With DoD's new vulnerability disclosure policy, hackers have clear guidance on how to legally test for and disclose vulnerabilities in DoD's websites outside of bug bounty challenges. This new initiative underscores DoD's commitment to working in partnership with the hacker community to improve security."
The name of the program is “see something, say something." Defense Secretary Ashton B. Carter said that the program focuses on improving the cyber security of the Pentagon’s unclassified, public-facing networks.
“This is a historic moment for hackers and the U.S. government,” said Katie Moussouris, founder of Luta Security and an adviser to the Pentagon on the new policy. “For the first time since hacking became a felony offense over 30 years ago, the Department of Defense has now opened the doors for ongoing vulnerability disclosure from helpful hackers who want to help secure these systems without fear of legal prosecution.”
But the DoD has issued certain guidelines for the reaseachers.
“Your activities are limited exclusively to –
(1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
(2) Sharing with, or receiving from, DoD information about a vulnerability or an indicator related to a vulnerability.”
Here are ten commandments released by the Department of Defense for demonstrating compliance with its policy:
The US Department of Defense (DoD) and HackerOne have collaborated officially a bug bounty program where researchers will have all the freedom to report bugs or flaws they discover in its websites without any fear of prosecution.
"This policy is a first of its kind for the US Government," HackerOne says. "With DoD's new vulnerability disclosure policy, hackers have clear guidance on how to legally test for and disclose vulnerabilities in DoD's websites outside of bug bounty challenges. This new initiative underscores DoD's commitment to working in partnership with the hacker community to improve security."
The name of the program is “see something, say something." Defense Secretary Ashton B. Carter said that the program focuses on improving the cyber security of the Pentagon’s unclassified, public-facing networks.
“This is a historic moment for hackers and the U.S. government,” said Katie Moussouris, founder of Luta Security and an adviser to the Pentagon on the new policy. “For the first time since hacking became a felony offense over 30 years ago, the Department of Defense has now opened the doors for ongoing vulnerability disclosure from helpful hackers who want to help secure these systems without fear of legal prosecution.”
But the DoD has issued certain guidelines for the reaseachers.
“Your activities are limited exclusively to –
(1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
(2) Sharing with, or receiving from, DoD information about a vulnerability or an indicator related to a vulnerability.”
Here are ten commandments released by the Department of Defense for demonstrating compliance with its policy:
- You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- You avoid intentionally accessing the content of any communications, data, or information transiting or stored on DoD information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- You do not exfiltrate any data under any circumstances.
- You do not intentionally compromise the privacy or safety of DoD personnel (e.g. civilian employees or military members), or any third parties.
- You do not intentionally compromise the intellectual property or other commercial or financial interests of any DoD personnel or entities, or any third parties.
- You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from DoD.
- You do not conduct denial of service testing.
- You do not conduct social engineering, including spear phishing, of DoD personnel or contractors.
- You do not submit a high-volume of low-quality reports.
- If at any point you are uncertain whether to continue testing, please engage with our team.