More than 60 valid reports submitted since start of program three months ago

Security professionals at the Bundeswehr's cybersecurity center in Germany

The German armed forces (‘Bundeswehr’) has reported a promising start to its recently launched vulnerability disclosure program (VDPBw).

Despite the absence of paid bug bounty rewards, more than 30 security researchers have submitted in excess of 60 valid vulnerabilities within 13 weeks of the scheme’s launch, a spokesman for the Bundeswehr told The Daily Swig.

These have included cross-site scripting (XSS), SQL injection, misconfiguration, data leakage, and open redirect bugs.

Launched in October 2020, the VDPBw applies to internet-facing IT systems and web applications belonging to the German armed forces’ various military branches and civil administration authorities.

Not for profit

SecuNinja’, who currently sits 17th on the Open Bug Bounty hall of fame, submitted vulnerability reports to the Bundeswehr before the VDP was even in place.

The German security researcher told The Daily Swig they had been “curious about the security posture of federal agencies”, adding: “A good indicator is usually their website so that was where I started and successfully discovered some vulns.”

The Bundeswehr’s “friendly and very professional communication” has encouraged the researcher to continue probing its applications despite the lack of a financial incentive.

ddBundeswehr CISO Major General Jürgen Setzer

“Some of us are not only profit-oriented but also [do] hacking out of curiosity or to learn.

“I’m in the lucky situation that I can hack for fun and sacrifice my time for the cause. And sure, it’s always more fun if you’re finding technology you’re interested in.”

Also undeterred by the absence of bug bounties, Marcus Mengs, creator of Raspberry Pi USB attack framework P4wnP1, has previously praised the Bundeswehr for rapidly fixing the denial-of-service flaw (PDF) he found via web cache poisoning.

“This special kind of vulnerability could be tested without doing harm to the system under test (if done correctly),” he told The Daily Swig.

“I tested various targets, which either run a VDP or would accept vulnerability reports in order to improve security.”

Bug bounty criticism

Despite the program’s auspicious start, Christoph Paul, spokesperson at the Bundeswehr’s German Cyber and Information Domain Service headquarters (KdoCIR), said that there had been criticism from some quarters about the absence of bug bounties.

“Adequate financial rewards would still have a lot of formal, legal and financial challenges to solve in a very long process for us within the given framework as a public federal organization,” he told The Daily Swig. “We did not want to wait that long”.

In contrast, the “formal or legal aspects were minor” in relation to setting up a bounty-free VDP.

RELATED Third edition of US Army bug bounty program prepared for deployment

Incidentally, in a recent interview with The Daily Swig, American bug hunter Tommy DeVoss has described the VDPBw’s similarly bounty-free US counterpart, the US Department of Defense’s VDP on HackerOne, as an ideal training ground for novice bug hunters because of the sheer breadth of technologies in use.

Paul said the Bundeswehr had leveraged its “broad formal and informal connections into the national and international cyber community” in drafting its policy.

The Bundeswehr’s CISO, Major General Jürgen Setzer, has also reflected on the program’s development in a Q&A published on the Bundeswehr website in December.

RECOMMENDED ‘Train the basics’ – Bug bounty hunter ‘Xel’ on forging a lucrative career in ethical hacking