Sen. Mark Warner, D-VA., penned a letter to Defense Department Chief Information Officer Dana Deasy this week stressing the value of the agency’s vulnerability disclosure programs and highlighting legislation he’s introduced to help to ensure vendors of products related to the internet of things maintain similar, coordinated schemes.
The note was prompted by security journalist Catalin Cimpanu’s recent report that a Pentagon-led vulnerability disclosure program enabled a researcher to flag that one of Defense’s servers was exploited and the department’s resources and information technology systems were subsequently used to mine cryptocurrency.
“This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies,” Warner said in the letter. “These programs are a crucial force multiplier for federal cybersecurity efforts.”
According to Cimpanu’s report from Feb. 5, an Indian security researcher on the hunt for bug bounties unearthed in January “that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by” the Defense Department. The researcher first identified a vulnerability on a Pentagon-managed cloud system exposed to the internet and then discovered cryptocurrency-mining malware was installed and operating on the server. The researcher then reported it to Defense’s official bug bounty program.
“Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by [Defense],” Warner wrote. “Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both intern ..
Support the originator by clicking the read the rest link below.
