Government

Posting Hackers and Exploit Bounties NEED TO KNOW and NICE TO HAVE

NEED TO KNOW

Hacker hats: color depends on motivation, expertise and whether or not breaking the law

Black hat hackers: malicious harm, steal/modify data without permission

White hat hackers: ethical hackers, have permission to test and penetrate the system to find problems, do not steal or modify data

Grey hat hackers: go both ways: they can find and disclose to help improve the system, or find and exploit to steal and modify. Either way, they don’t have permission to be in the system.

USG offensive hackers are grey hats: they intrude into foreign cyber systems without permission, and the USG chooses to either responsibly disclose or use the vulnerability to exploit the system, depending on the circumstances.

Responsible vulnerability disclosure:

–find the vulnerability and tell the vendor;

–vendor works to fix, keeping the finder apprised of progress

–vendor releases patch and explains problem and fix, giving credit to the finder

–if vulnerability is found and exploited by malicious actor before it is patched, publicly disclose immediately and discuss mitigation, (while working frantically to create patch).

____________________________________________________________________________

NICE TO HAVE:

–An understanding of how the hacker world has changed, with white hats being recognized and brought into the industry, which offers a financial outlet for trained personnel overseas to make money while remaining white hats

–An understanding of how cybersecurity problems have morphed over the years, as this provides some perspective of what we might expect in cyber conflict and policy issues in the coming years

–An understanding of how cyber risk plays into the government decision to responsibly disclose or hoard and exploit a potential vulnerability.