Senator Highlights Significance of Defense Department's Vulnerability Disclosure Programs

Mark Reinstein/Shutterstock

The letter follows a report that a Defense server was exploited to mine cryptocurrency.

Sen. Mark Warner, D-VA., penned a letter to Defense Department Chief Information Officer Dana Deasy this week stressing the value of the agency’s vulnerability disclosure programs and highlighting legislation he’s introduced to help to ensure vendors of products related to the internet of things maintain similar, coordinated schemes. 

The note was prompted by security journalist Catalin Cimpanu’s recent report that a Pentagon-led vulnerability disclosure program enabled a researcher to flag that one of Defense’s servers was exploited and the department’s resources and information technology systems were subsequently used to mine cryptocurrency. 

“This incident demonstrates the inherent value of vulnerability disclosure programs for information technology products operated by federal agencies,” Warner said in the letter. “These programs are a crucial force multiplier for federal cybersecurity efforts.”

According to Cimpanu’s report from Feb. 5, an Indian security researcher on the hunt for bug bounties unearthed in January “that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by” the Defense Department. The researcher first identified a vulnerability on a Pentagon-managed cloud system exposed to the internet and then discovered cryptocurrency-mining malware was installed and operating on the server. The researcher then reported it to Defense’s official bug bounty program. 

“Clear guidelines and a process for security researchers to find and share vulnerabilities enabled this malware discovery, and ultimately prompt remedial action by [Defense],” Warner wrote. “Continuing to encourage the responsible discovery and disclosure of bugs or vulnerabilities on federal information technology systems with both internal and outside security researchers can only strengthen the cybersecurity posture of federal and [Defense] systems.”

In the letter, the senator, who serves as vice chairman of the Senate Select Committee on Intelligence and co-chair of the bipartisan Senate Cybersecurity Caucus, also highlighted his Internet of Things Cybersecurity Improvement Act. Warner said the bill would ensure the IoT vendors maintain their own coordinated vulnerability programs, and ultimately “serve as a complement to the procedures [Defense] already employs.”

“I am hopeful that [Defense] will take the lessons from this incident seriously and reassess current processes as necessary,” Warner said.