Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems

This move allows greater research and reporting of bugs to Pentagon

depatment of defenve buiding

The US Department of Defense (DoD) has expanded its Vulnerability Disclosure Program (VDP) to include all publicly accessible DoD websites and systems.

The VDP is run by the Department of Defense Cyber Crime Center (DC3) to enable security researchers to report vulnerabilities on the DoD Information Network (DoDIN) to improve network defense.

The expansion announced today allows for research and reporting of vulnerabilities related to all DOD publicly accessible networks, frequency-based communication, internet of things (IoT), and industrial control systems, according to Brett Goldstein, the director of the Defense Digital Service. Originally, the program was limited to DoD public-facing websites and applications.

Related Resource

X-Force threat intelligence index

Understand the threat landscape with fresh intelligence

X Force threat intelligence indexDownload now

"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," he said.

Before the program’s launch, researchers had no way of reporting bugs they found in publicly accessible DoD systems. 

“Because of this, many vulnerabilities went unreported," said Goldstein. "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."

Since the launch of the Vulnerability Disclosure Program, security researchers have submitted over 29,000 vulnerability reports. Officials said that over 70% of them were determined to be valid.

Experts believe the expansion will lead to a massive increase in the number of bugs reported to them.

"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," said DOD Cyber Crime Center director Kristopher Johnson.

In April, the DoD Cyber Crime Center unveiled a 12-month Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot to enable security researchers to report flaws in DoD contractor partner’s information systems, web properties, and other identified scoped assets. The 12-month program aspires to employ the lessons learned from existing reports made through the Pentagon’s Vulnerability Disclosure Program.

“The expansion of vulnerability research to participating DoD contractor networks replicates the DoD’s’ success by making participating DoD contractor networks available for vulnerability research,” said the DoD's Cyber Crime Center on its HackerOne webpage. “No technology is perfect, but DC3 believes that working with skilled security researchers across the globe is crucial to identifying their weaknesses.”

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021
Futurex‌ ‌and Google enable‌ ‌client-side‌ ‌Google‌ ‌Workspace encryption‌
Google Docs

Futurex‌ ‌and Google enable‌ ‌client-side‌ ‌Google‌ ‌Workspace encryption‌

14 Jun 2021
The complete guide to building a security awareness programme that works
Whitepaper

The complete guide to building a security awareness programme that works

14 Jun 2021
2021 state of the phish
Whitepaper

2021 state of the phish

14 Jun 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021