US Department of Defense (DOD) officials today announced that the department’s Vulnerability Disclosure Program (VDP) has been expanded to include all publicly accessible DOD websites and applications.
DOD’s VDP is led by the Department of Defense Cyber Crime Center (DC3), and it allows security researchers to search for and report any vulnerabilities affecting public-facing DOD information systems.
Number of reports expected to increase drastically
With today’s expansion, researchers can look for security issues impacting all publicly accessible “DOD networks, frequency-based communication, Internet of Things, industrial control systems, and more.”
Before the VDP was launched, ethical hackers had no way to interact with the DOD even when they discovered valid vulnerabilities.
“Because of this, many vulnerabilities went unreported,” Brett Goldstein, the director of the Defense Digital Service, said.
“The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems.”
With the VDP’s scope expanding, DOD Cyber Crime Center director Kristopher Johnson expects the numbers of reports to increase dramatically due to security researchers discovering and reporting vulnerabilities previously unreportable.
“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” Johnson added.
More than 30,000 reports submitted via DOD’s VDP
Since it was officially established in 2016, over 30,000 vulnerability reports have already been submitted through this program, with more than 70% of them containing a valid bug impacting DOD systems.
The DOD used information collected through the bug bounty program to strengthen the security of the US DoD Information Network (DoDIN).
In collaboration with the Defense Counterintelligence Security Agency, the DoD Cyber Crime Center launched a 12-month Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot in April for defense industrial base (DIB) companies.
The DIB-VDP allows ethical hackers to report vulnerabilities in DoD contractor partner’s information systems, web properties, and other in-scope assets.
“The expansion of vulnerability research to participating DoD contractor networks replicates the DoD’s’ success by making participating DoD contractor networks available for vulnerability research,” DoD’s Cyber Crime Center explains.