Bundeswehr emulates US counterparts in formalizing bug reporting process
UPDATED The German armed forces (‘Bundeswehr’) have launched a responsible disclosure program for reporting security vulnerabilities.
The Bundeswehr comprises Germany’s army, air force, navy, medical corps, territorial army, Cyber and Information Domain Service, and associated civil administration and procurement authorities.
The news has been welcomed by Vulnerability Lab, a German security firm that unearths, documents, and alerts vendors to vulnerabilities in their applications and systems.
“In recent years, we have also repeatedly reported security gaps and vulnerabilities in the digital environment to the Bundeswehr,” it said in an article on its Vulnerability Magazine website.
“It may have become clear to the Bundeswehr that exponential added value could be created here in the long term” by formalizing the disclosure process.
The lack of an official mechanism for reporting security vulnerabilities meant “there was mistrust in the project and skepticism in the handling of some high-ranking decision-makers”, added Vulnerability Lab.
However, Benjamin Kunz Mejri, security researcher and CEO of the Vulnerability Lab, told The Daily Swig that “the feedback from the Bundeswehr has always been very positive when it comes to individual reports of security gaps or security vulnerabilities.”
In launching the VDPBw, the Bundeswehr has emulated its military counterparts across the Atlantic.
The US Department of Defense established a vulnerability disclosure policy on HackerOne in 2016, while time-sensitive bug bounty programs such as Hack the Pentagon and Hack the Army have become firm fixtures on the platform.
However, few government agencies worldwide have followed suit, although Singapore’s Government Technology Agency (GovTech), which has been on HackerOne since October 2019, the Netherlands government, and the UK’s National Cyber Security Centre, which posted a policy applicable to participating government departments on GitHub last month, are three notable exceptions.
“As is well known, public authorities find it difficult to introduce new things,” said Vulnerability Lab, which praised the Bundeswehr for publishing the VDPBw. “We hope that other Bundeswehr authorities will follow suit and recognize the added security value.”
The VDPBw “can provide further information on unknown vulnerabilities and security gaps in our systems in addition to our own research,” Christoph Paul, press officer for the Bundeswehr, told The Daily Swig.
The policy applies to “Bundeswehr IT systems and web applications” that are “connected to and accessible over the internet, particularly the websites of the Bundeswehr”.
Paul urged “security researchers to proceed with professional expertise in order not to cause any damage” and to keep their activities within scope.
The Bundeswehr says security researchers will be kept informed about the validity and remediation of any bugs reported, with successful submissions being recognized on an acknowledgements page.
Paul said there were no plans to offer bug bounties for successful submissions at present.
Vulnerability Lab has noted that the VDPBw mirrors policies in place at other Bundeswehr bodies, including the Institute for Microbiology.
The Daily Swig has asked the Bundeswehr whether it has plans to pay researchers for validated security flaws.
This article was updated on October 27 with the addition of comments from Benjamin Kunz Mejri of the Vulnerability Lab, and on November 6 with comments from the Bundeswehr