HOW
DOD
EMBRACED
BUG BOUNTIES —
AND HOW YOUR AGENCY CAN, TOO
on proved to Defense Department officials that outside hackers can be assets, not adversaries
BY SARAH LAI STIRLAND
It was a Tuesday in April, and Mark Litch- field was poking around the Defense Department’s Defense Video Imagery Dis- tribution System, looking for security holes.
It didn’t take him long to find one. He soon uncovered a vulnerability known as a blind persistent cross-site script. It could enable any maliciously minded hacker to log in as a site administrator and broadcast whatever content he or she wanted from the DVIDS website, which is the primary way the U.S. military keeps the public informed about its activities around the world. The hacker could also have accessed the email messages of the registered users of DVIDS.
“As you can imagine, [Islamic State mil- itants], if they had launched that kind of attack, they would have had a field day if they could upload whatever they wanted onto a website that’s run by the military,” Litchfield said.
Such propaganda risks are hardly hypo- thetical; last year, Islamic State sympathiz- ers hacked into U.S. Central Command’s Twitter feed and YouTube accounts.
Luckily it was Litchfield, a security researcher and entrepreneur, who discov- ered the vulnerability — and he did so at DOD’s invitation.
Had he discovered the problem under regular circumstances, it would not have been clear what he could do about it. Like most other websites, DVIDS does not pro- vide explicit instructions on how to respon- sibly report problems. Instead, in the “Pri- vacy and Security” section, DOD threatens prosecution for any unauthorized attempts to upload or change the information pro- vided by DVIDS.
But Litchfield was able to report the problem — and 35 others — without fear of prosecution because he was participat-
November/December 2016
FCW.COM 17