IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems

This move allows greater research and reporting of bugs to Pentagon

depatment of defenve buiding

The US Department of Defense (DoD) has expanded its Vulnerability Disclosure Program (VDP) to include all publicly accessible DoD websites and systems.

The VDP is run by the Department of Defense Cyber Crime Center (DC3) to enable security researchers to report vulnerabilities on the DoD Information Network (DoDIN) to improve network defense.

The expansion announced today allows for research and reporting of vulnerabilities related to all DOD publicly accessible networks, frequency-based communication, internet of things (IoT), and industrial control systems, according to Brett Goldstein, the director of the Defense Digital Service. Originally, the program was limited to DoD public-facing websites and applications.

"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," he said.

Before the program’s launch, researchers had no way of reporting bugs they found in publicly accessible DoD systems. 

“Because of this, many vulnerabilities went unreported," said Goldstein. "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."

Since the launch of the Vulnerability Disclosure Program, security researchers have submitted over 29,000 vulnerability reports. Officials said that over 70% of them were determined to be valid.

Experts believe the expansion will lead to a massive increase in the number of bugs reported to them.

"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," said DOD Cyber Crime Center director Kristopher Johnson.

In April, the DoD Cyber Crime Center unveiled a 12-month Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot to enable security researchers to report flaws in DoD contractor partner’s information systems, web properties, and other identified scoped assets. The 12-month program aspires to employ the lessons learned from existing reports made through the Pentagon’s Vulnerability Disclosure Program.

“The expansion of vulnerability research to participating DoD contractor networks replicates the DoD’s’ success by making participating DoD contractor networks available for vulnerability research,” said the DoD's Cyber Crime Center on its HackerOne webpage. “No technology is perfect, but DC3 believes that working with skilled security researchers across the globe is crucial to identifying their weaknesses.”

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Solve cyber resilience challenges with storage solutions
Whitepaper

Solve cyber resilience challenges with storage solutions

4 Jul 2022
Storage's role in addressing the challenges of ensuring cyber resilience
Whitepaper

Storage's role in addressing the challenges of ensuring cyber resilience

4 Jul 2022
Introducing IBM Security QRadar XDR
Whitepaper

Introducing IBM Security QRadar XDR

4 Jul 2022
The Total Economic Impact™ of IBM Security MaaS360 with Watson
Whitepaper

The Total Economic Impact™ of IBM Security MaaS360 with Watson

4 Jul 2022

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Latest LockBit ransomware strain 'strikingly similar' to BlackMatter
ransomware

Latest LockBit ransomware strain 'strikingly similar' to BlackMatter

4 Jul 2022