[neilv]

Two questions prompted by this disclosure:

1. I didn't see mention of a bug bounty program giving limited authorization. How do independent researchers do this with legal safety? Especially when DoD is involved?

2. If a researcher discovered a vulnerability at a DoD contractor, and the contractor didn't seem to be resolving the problem, is there a DoD contact point that would be effective and safe for the researcher to report it?

[orthogonal_cube]

To answer the first question, a number of veteran independent researchers probably wouldn’t have touched such a system. Plenty of companies will send their lawyers after you if you tell them that you’ve discovered a vulnerability of some sort and wish to responsibly disclose. Even if you do things in good faith, the company has zero reason to assume the best from you and can hold a sword over your head by citing poorly-written laws that lean in their favor regarding computer fraud and abuse.

DoD does appear to offer a “Defense Industrial Base - Vulnerability Disclosure Program” for all public-facing DoD/DoW systems.[1] However, this might not include contractor-controlled assets or services. I cannot view the HackerOne page that it redirects to (login is required) to view more details.

[1]: https://www.dc3.mil/Missions/Vulnerability-Disclosure/DIB-Vu...

[ungreased0675]

The line between security research and espionage seems really thin.

[skinfaxi]

Would spies disclose their findings?

[antonymoose]

> How do independent researchers do this with legal safety?

In my experience it’s usually foreign nationals from third-world countries doing drive-by beg-bounty testing. Presumably they don’t much consider legality.

[bornfreddy]

> Presumably they don’t much consider legality.

Or the operation is not even illegal where they come from?