Cyber Security

German armed forces reveals encouraging start to security vulnerability disclosure program

The German armed forces (‘Bundeswehr’) has reported a promising start to its recently launched vulnerability disclosure program (VDPBw).

Despite the absence of paid bug bounty rewards, more than 30 security researchers have submitted in excess of 60 valid vulnerabilities within 13 weeks of the scheme’s launch, a spokesman for the Bundeswehr told The Daily Swig.

These have included cross-site scripting (XSS), SQL injection, misconfiguration, data leakage, and open redirect bugs.

Launched in October 2020, the VDPBw applies to internet-facing IT systems and web applications belonging to the German armed forces’ various military branches and civil administration authorities.

Not for profit

SecuNinja’, who currently sits 17th on the Open Bug Bounty hall of fame, submitted vulnerability reports to the Bundeswehr before the VDP was even in place.

The German security researcher told The Daily Swig they had been “curious about the security posture of federal agencies”, adding: “A good indicator is usually their website so that was where I started and successfully discovered some vulns.”

The Bundeswehr’s “friendly and very professional communication” has encouraged the researcher to continue probing its applications despite the lack of a financial incentive.

Bundeswehr CISO Major General Jürgen Setzer

“Some of us are not only profit-oriented but also [do] hacking out of curiosity or to learn.

“I’m in the lucky situation that I can hack for fun and sacrifice my time for the cause. And sure, it’s always more fun if you’re finding technology you’re interested in.”

Also undeterred by the absence of bug bounties, Marcus Mengs, creator of Raspberry Pi USB attack framework P4wnP1, has previously praised the Bundeswehr for rapidly fixing the denial-of-service flaw (PDF) he found via web cache poisoning.

“This special kind of vulnerability could be tested without doing harm to the system under test (if done correctly),” he told The Daily Swig.

“I tested various targets, which either run a VDP or would accept vulnerability reports in order to improve security.”

Bug bounty criticism

Despite the program’s auspicious start, Christoph Paul, spokesperson at the Bundeswehr’s German Cyber and Information Domain Service headquarters (KdoCIR), said that there had been criticism from some quarters about the absence of bug bounties.

“Adequate financial rewards would still have a lot of formal, legal and financial challenges to solve in a very long process for us within the given framework as a public federal organization,” he told The Daily Swig. “We did not want to wait that long”.

In contrast, the “formal or legal aspects were minor” in relation to setting up a bounty-free VDP.

Advertisement. Scroll to continue reading.

Incidentally, in a recent interview with The Daily Swig, American bug hunter Tommy DeVoss has described the VDPBw’s similarly bounty-free US counterpart, the US Department of Defense’s VDP on HackerOne, as an ideal training ground for novice bug hunters because of the sheer breadth of technologies in use.

Paul said the Bundeswehr had leveraged its “broad formal and informal connections into the national and international cyber community” in drafting its policy.

The Bundeswehr’s CISO, Major General Jürgen Setzer, has also reflected on the program’s development in a Q&A published on the Bundeswehr website in December.

Source: https://portswigger.net/daily-swig/german-armed-forces-reveals-encouraging-start-to-security-vulnerability-disclosure-program

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version