Government officials and cybersecurity experts are arguing that companies need to embrace vulnerability disclosure programs to guard against hacking amid pushback from the largest voting machine company in the United States, which has portrayed efforts to test their systems as a tactic of foreign spy-craft. Vulnerability disclosure programs that invite hackers to test computer systems are a show of strength, participants in a Sept. 18 event at the Atlantic Council argued. “Not having a vulnerability disclosure program amounts to cybersecurity negligence,” said Marten Mickos, the head of Hacker One. It’s a myth that companies can test their systems on their own, said Chris Nims, chief information security officer at Oath, a cybersecurity company. Even large companies who perform penetration testing on their own products cannot catch all vulnerabilities, he argued. “The reality is that is simply not true.”
Many companies sponsor vulnerability disclosure programs that give monetary rewards for reporting flaws in software or hardware. Perhaps the best known program is Hack the Pentagon, which began in May 2016 under then Secretary of Defense Ash Carter.
“It’s hard to be a network owner and say ‘I have something that is more valuable than the Department of Defense,’” said Leonard Bailey, special counsel for national security at the Department of Justice. “It is an industry standard that there is somewhere between 15 and 50 errors per thousand lines of code and most of the commercial products are tens of millions of lines of code … there are vulnerabilities in the system.”
Full Article: Could white hat hackers boost security of voting machines?.