A Defense Department unit kicked off a pilot program to allow hackers to report vulnerabilities in systems operated by “a few dozen” defense-industrial-base companies Monday.
“The program received numerous applicants,” a spokesperson for Defense’s Cyber Crime Center told Nextgov. “However, during this initial launch pilot, we will be moving forward with a few dozen.”
For the pilot, DC3 will act as a middleman in the program between researchers and the DIB companies. A lot of the work involved in maintaining a vulnerability disclosure program usually involves validating and prioritizing the reports submitted by more than 2,000 participating researchers around the globe. Under the pilot, DC3 will take on that triaging responsibility and will even provide guidance for remediation of vulnerabilities. But the center will stop short of fixing them. That’s the responsibility of the companies.
DC3, not the companies, will have the power to consider vulnerability reports closed. But officials said they would consider plans of action and milestones and official acceptance of risk when deciding whether to do so. The program is only enforceable on the honor system.
The spokesperson would not disclose the exact number of companies participating. But, in line with a feasibility study conducted by Carnegie Mellon University’s Software Engineering Institute, the department set out to accept the applications of no more than 20.
“DC3 continues to be impressed by the increased interest and openness of DIB partners to readily engage in innovative cyber vulnerability defense measures,” the spokesperson said.
The exact assets within scope of the program are listed on the HackerOne page for the p ..
Support the originator by clicking the read the rest link below.
