Usually you won’t see any organization or institution allowing you to hack their internal system for any cause but this time without getting into any trouble the US Military is allowing hackers a chance to point out vulnerabilities in their online systems. The permission is granted through a military-wide applicable, a newly designed policy. US Government wants you to hack US Military and Pentagon for testing your skills. US Government clearly described in its policy for the researchers not to public any vulnerability they find in the system without US Government’s consent.
This new policy by the US Department of Defense has given green signal to hackers for testing their cyber skills, weapons and tools against any web-based property. The flip side is that only the web property that is owned and operated by the Defense Department is allowed to be exploited.
The announcement was made public by the department through Hackerone.com, which is a platform that helps organizations in managing and/or developing policies related to vulnerabilities and helps clients develop bug bounty programs to give rewards to researchers for identifying security flaws.
According to US Military researchers are required to “discover, test, and submit vulnerabilities or indicators of vulnerabilities” in accordance with the department’s guidelines and ground rules, which are as follows:
- Testing the system for identification or indication of a vulnerability
- Test after receiving information from the department regarding a vulnerability or identify and share vulnerability or indicator of vulnerability with the department
The policy’s main purpose is to discover any hidden vulnerabilities in their networks and system and to fix the issues timely. It also aims to clear up the confusion in the minds of security researchers regarding reporting about vulnerabilities that they identify in military systems.
When a researcher reports about a vulnerability to the department, it will firstly counter-check and confirm the presence of a flaw and then will inform the researcher about any sort of ongoing remediation. However, the researchers are required to refrain from exposing their findings to the public till the time the department grants them approval for doing so in written form.