Connect with us

Hi, what are you looking for?



Army Experts Call for Vulnerability Response Program

The United States Army should establish a central program for disclosing and managing software vulnerabilities plaguing the organization’s systems, according to a paper published last week by two U.S. Army captains.

The United States Army should establish a central program for disclosing and managing software vulnerabilities plaguing the organization’s systems, according to a paper published last week by two U.S. Army captains.

Bug bounty programs such as the ones run by Google, Facebook, Microsoft and PayPal can be very efficient in convincing researchers to responsibly disclose vulnerabilities, and the U.S. Army should create a similar program to prevent security holes from going unreported and unresolved, said Captain Rock Stevens and Captain Michael Weigand.

According to Stevens and Weigand, the Army has several programs in place for managing vulnerabilities, but they don’t allow personnel to conduct proper tests using proper tools. As for reporting vulnerabilities, a standard operating procedure exists, but it’s not centrally tracked or managed.

“The current operating environment for vulnerability researchers within the DoD is an atmosphere fraught with danger and much trepidation. Personnel are hesitant to disclose known vulnerabilities in systems out of a fear of reprisal,” the Army cyber experts noted.

In a paper published on the Cyber Defense Review website, Stevens and Weigand propose the creation of an Army Vulnerability Response Program (AVRP) that is similar to a bug bounty program run by private sector companies.

“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.

Cyber espionage groups suspected of operating on behalf of Russia and China have often breached U.S. government systems storing sensitive information, including the systems of the White House, the Office of Personnel Management (OPM), the Pentagon, the State Department, and even the Army. The Army cyber security experts believe such incidents might have been avoided had the government implemented lessons learned from the private sector.

Advertisement. Scroll to continue reading.

While the AVRP would be a closed program mainly designed for Department of Defense personnel, the vulnerability reporting platform can also be used by “concerned citizens,” although they would not be involved in the remediation process.

Stevens and Weigand believe service members would take part in the program without needing any incentive, other than knowing that they used their skills to serve their country. However, they propose a series of non-monetary rewards, such as guaranteed slots in graduate studies programs, training at businesses like Google and Microsoft, and participation in security conferences.

As an alternative to an Army-run bug bounty program, the experts suggested using the services of companies such as Zero Day Initiative or Bugcrowd, but they pointed out that the associated costs would most likely be substantial since these companies have to change their current practices to handle classified disclosures.

Bugcrowd says it’s prepared to handle such a bug bounty program for the U.S. Army.

“The Army would have to ask whether bringing in a third party would be a substantial cost in comparison to running it in house, which isn’t a given when you consider all of the different variables that go into building a successful bug bounty program,” said Casey Ellis, CEO and co-founder of Bugcrowd. “Bugcrowd would be ideally suited for a large-scale program like the US Army, and would be especially helpful with the initial stages as the Army rolls out private pilot programs of bug bounty.”

“With a combination of Bugcrowd’s proprietary platform and elite team of researchers who specialize in private, enterprise-grade bounties, we are well prepared to handle programs like this,” Ellis told SecurityWeek. “Bugcrowd specializes in making a bug bounty program successful for the team that is running them, which at the end of the day might cost less than the Army trying to do it on its own.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.