Should the Army adopt a bug bounty program?
- By Mark Pomerleau
- Nov 06, 2015
If the military wants adopt best practices from the tech industry, it should take a page from the private sector and start encouraging vulnerability reporting with bug bounties.
That’s the thinking of Captains Rock Stevens and Michael Weigand. In an article in Cyber Defense Review, the authors write that the Army “urgently needs to stand up vulnerability disclosure and response program that would permit its personnel to responsibly report findings to a centralized entity that would assist in tracking and resolving issues.”
Bug bounties are formal programs in which researchers are rewarded for responsibly disclosing security vulnerabilities; they have been established at many private sector firms, such as United Airlines, Microsoft, Google and Facebook. The authors say the Army can leverage current incentive programs to encourage participation without providing the direct monetary rewards that other bug bounty programs offer.
Although the Army has several programs in place for finding and managing vulnerabilities, the authors write, they are not as robust as a private-sector bug bounty program because they restrict scanning tools and prohibit penetration testing. They report that the current standard operating procedure that exists for vulnerability disclosure is not centrally tracked or managed.
Furthermore, the authors suggest that personnel who do find vulnerabilities may be reluctant to share them with supervisors for fear of reprisal. “Revocation of security clearances, loss of access to IT systems, and punitive action under the Uniform Code of Military Justice are all viable outcomes for someone who casually stumbles upon an interesting finding during everyday work,” they write.
In a move toward a high-level solution, the captains propose an Army Vulnerability Response Program, which could not only serve as the Army’s center for all cyber-related warfighter or security issues, but also sponsor the discovery of unpatched systems and vulnerabilities. Such a program would bolster security and intelligence of networks going forward, the authors maintain.
Like bug bounty programs in the private sector, the suggested AVRP would have clear rules of engagement:
- The collection of personally identifiable information should be minimized and only collected to the extent is assists in explaining vulnerabilities.
- Vulnerabilities discovered on Army networks should not be publically disclosed. In fact, this information could even potentially be classified.
- Automated vulnerability scanners should not be used against Army networks.
- Researchers would not be able to actively or passively interact with third-party entities related to the government.
- Network-level distributed denial of service attacks will be prohibited.
In order to limit the number of negligible issues reported by inexperienced researchers, the authors suggest the AVRP could clearly define and prioritize the vulnerability classes in which the Army most interested. Researchers would use a standard report to ensure a baseline of information required to understand and reproduce a discovered vulnerability. And if the vulnerability is considered serious enough, researchers would be granted permission to conduct “a narrowly scoped analysis” in cooperation with AVRP, the affected vendor or program office, and/or select elements of the Army Cyber Mission Force.
The authors also discuss workforce and enterprise benefits as well as policy changes that would be required to implement such a program. The full paper can be found here.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.