The United States Army should establish a central program for disclosing and managing software vulnerabilities plaguing the organization’s systems, according to a paper published last week by two U.S. Army captains.
Bug bounty programs such as the ones run by Google, Facebook, Microsoft and PayPal can be very efficient in convincing researchers to responsibly disclose vulnerabilities, and the U.S. Army should create a similar program to prevent security holes from going unreported and unresolved, said Captain Rock Stevens and Captain Michael Weigand.
According to Stevens and Weigand, the Army has several programs in place for managing vulnerabilities, but they don’t allow personnel to conduct proper tests using proper tools. As for reporting vulnerabilities, a standard operating procedure exists, but it’s not centrally tracked or managed.
“The current operating environment for vulnerability researchers within the DoD is an atmosphere fraught with danger and much trepidation. Personnel are hesitant to disclose known vulnerabilities in systems out of a fear of reprisal,” the Army cyber experts noted.
In a paper published on the Cyber Defense Review website, Stevens and Weigand propose the creation of an Army Vulnerability Response Program (AVRP) that is similar to a bug bounty program run by private sector companies.
“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.
Cyber espionage groups suspected of operating on behalf of Russia and China have often breached U.S. government systems storing sensitive information, including the systems of the White House, the Office of Personnel Management (OPM), the Pentagon, the State Department, and even the Army. The Army cyber security experts believe such incidents might have been avoided had the government implemented lessons learned from the private sector.
While the AVRP would be a closed program mainly designed for Department of Defense personnel, the vulnerability reporting platform can also be used by “concerned citizens,” although they would not be involved in the remediation process.
Stevens and Weigand believe service members would take part in the program without needing any incentive, other than knowing that they used their skills to serve their country. However, they propose a series of non-monetary rewards, such as guaranteed slots in graduate studies programs, training at businesses like Google and Microsoft, and participation in security conferences.
As an alternative to an Army-run bug bounty program, the experts suggested using the services of companies such as Zero Day Initiative or Bugcrowd, but they pointed out that the associated costs would most likely be substantial since these companies have to change their current practices to handle classified disclosures.
Bugcrowd says it’s prepared to handle such a bug bounty program for the U.S. Army.
“The Army would have to ask whether bringing in a third party would be a substantial cost in comparison to running it in house, which isn’t a given when you consider all of the different variables that go into building a successful bug bounty program,” said Casey Ellis, CEO and co-founder of Bugcrowd. “Bugcrowd would be ideally suited for a large-scale program like the US Army, and would be especially helpful with the initial stages as the Army rolls out private pilot programs of bug bounty.”
“With a combination of Bugcrowd's proprietary platform and elite team of researchers who specialize in private, enterprise-grade bounties, we are well prepared to handle programs like this,” Ellis told SecurityWeek. “Bugcrowd specializes in making a bug bounty program successful for the team that is running them, which at the end of the day might cost less than the Army trying to do it on its own.”