Bug Bounties, Vulnerability Management

Probing restrictions may stilt Pentagon’s vulnerability disclosure program for contractors

Today’s columnist, independent info-sec consultant Alex Vakulov, points out that Lockheed Martin first started using the phrase advanced persistent threat in its documents in 2004. Vakulov says some 80% of large companies with more than 5,000 employees were hit by APT groups one or more times in the past year. (Photo by Suhaimi Abdullah/Getty Image...

The Department of Defense is putting the systems and networks of defense contractors to the test in a new pilot vulnerability disclosure program, the latest indicator of the government's desire to expand upon its previous ventures crowdsourcing cybersecurity.

The Defense Industrial Base Vulnerability Disclosure pilot will last 12 months and allow researchers to probe a pre-approved list of DoD contractor information systems, networks and applications. The Pentagon said that any vulnerabilities submitted through the program will be used for defensive purposes, not to develop new offensive capabilities.

According to DoD, third-party researchers have found more than 30,000 potential exploits for DoD systems as of April 2021, and the department is keen to start duplicating those efforts across its massive base of more than 300,000 contractors and suppliers. At the same time, hackers tied to the Chinese, North Korean, Iranian and Russian governments have relentlessly targeted U.S. defense contractors in an effort to steal sensitive information and duplicate military technologies.

The pilot puts a number of restrictions on researchers as they probe the networks and systems of defense contractors. Their permitted activities are limited to remote testing of certain pre-approved systems and sharing or receiving information from defense officials. Researchers are not permitted to exfiltrate data, intentionally access the content of communications, data or information or do exploit discovered vulnerabilities “beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.”

Researchers also can’t simulate denial-of-service attacks, conduct spear phishing or other forms of social engineering, test the physical security of facilities housing tested systems or publicly disclose details of a discovered vulnerability without the express, written approval of the program. The program “will seek to allow researchers desiring to be publicly recognized” but only “when practicable and authorized.”

By violating any of these rules, a person could risk losing his or her status as a valid security researcher under the program by the Pentagon.

Vulnerability disclosure programs (and their cousin bug bounty programs) have been around for decades, but experts debate their effectiveness are under what conditions. While they can help an organization identify specific flaws or weaknesses in their systems, many of the substantive benefits can depend on the specific terms and the relationship between security researchers and the enterprise being tested.

Tatyana Bolton, a former senior policy director for the Cyberspace Solarium Commission, told SC Media in an interview that a vulnerability disclosure program for defense contractors was in an early draft of the commission’s recommendations to Congress for improving federal cybersecurity, but didn’t make the cut for the final version. The reason, said Bolton, was in part due to questions over how to structure the bureaucracy and reporting, as well as guardrails around what the government could do with the information.  

“That’s not to say we didn’t think it was important; we absolutely did recognize that whole set of concerns, including who reports to the government, how they report, the process for that reporting,  who is included within the government in terms of knowing that information," Bolton said. "Do they go to CISA, does it go to ODNI, does it go to FBI? All of that is something we thought about. It’s an extremely complex subject.”

Researchers who participate in the pilot won’t be compensated with a monetary reward, the way they are in most bug bounty programs. Bolton said bounty programs with financial compensation have their place (DoD has held several Hack the Pentagon events in recent years that pay security researchers), but she was heartened to see that DoD was attempting to build a relationship with the security research community based on national interest. That said, she expressed concern that an unreformed Computer Fraud and Abuse Act still loomed as a disincentive for many researchers.

“Everyone wants DoD networks to be secure, no one wants the missile codes stolen by Russia. That is the base incentive,” said Bolton, who currently works as policy director for the cybersecurity and emerging threats team at R Street. “Patriotism should be the number one reason you’re searching defense and contractor systems for vulnerabilities. I understand that’s not going to be everyone’s priority, but that’s the culture we’re trying to promote.”

Bug hunters and the companies they probe often disagree on questions like whether and when the researcher can go public with their findings after informing the affected party – something many researchers insist is a necessary check that puts meaningful pressure on organizations to acknowledge and remediate the flaw. While the participants in this pilot will need sign off before publicizing their work, there are plenty of other details to hash out.

“What is going to be interesting with this formal process is how fast industry partners and government can and are willing to fix a reported finding,” said Monti Knode, director of customer and partners success at penetration testing company Horizon3.AI.

Bhavana Singh, practice head of bug bounty services at NCC Group, told SC Media that the limitations and restrictions in the pilot program are “detailed and clear” and often standard for most vulnerability disclosure programs. Still, she said the larger battle between industry and security researchers – and the need to balance the privacy and data rights of the target organization with the researcher’s desire to provide a meaningful security assessment – is “an ongoing challenge” with no easy answers.

“Having too many limitations and restrictions helps neither the researcher nor the organizations,” she said. “The answer to this question is unfortunately not a straightforward one, but to keep it simple: when a program puts so many restrictions that a researcher just keeps hitting walls in every direction they move, it’s time to go back to the drawing board.”

Bolton said the push and pull between the military and security researchers is indicative of more widespread tensions, an obstacle that needs to be surmounted if the military wants to secure its contracting base.

“When you go to the doctor, you have to give up some information – and some of it is very sensitive information – in order for that doctor to diagnose you and provide with a cure for whatever you have,” said Bolton.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.