DoD Vulnerability Program Reaches Five-Year Milestone

The DoD Cyber Crime Center (DC3) Vulnerability Disclosure Program (VDP) reaches another milestone this month as it marks the fifth anniversary of its establishment by the Secretary of Defense in November 2016.

The program is derived from the “Hack the Pentagon” bug-bounty pilot program launched in April 2016, by the Defense Digital Service, which involved cybersecurity researchers using their skill sets to find vulnerabilities within DoD websites.

At that time, the concept of DoD working with private-sector, white hat researchers was a huge step into a new realm of DoD cybersecurity.

“When the VDP was established in 2016, it was considered innovative and extreme,” said Melissa Vice, interim director, DC3 VDP. “In the past five years, the proven successes of implementing vulnerability disclosure policies, programs, and bug bounties have led to a whole-of-government adoption of VDPs.”

VDPs cyber analysts validate, triage and process mitigation of vulnerabilities reported by HackerOne’s crowd-sourced researchers analyzing DoDs publicly accessible assets to provide layered defense-in-depth and reduce the DoD Information Networks (DoDIN) attack surface.

Since 2016, VDP has received more than 36,000 vulnerability reports, discovered by more than 3,000 cybersecurity researchers in 45 countries, resulting in nearly 70 percent of vulnerabilities being validated as actionable and processed for remediation.

“VDP is the epitome of a success story achieved by thinking outside of the box,” said DC3 Executive Director Jeffrey Specht. “Five years ago, DoD embraced the notion of working with white hat researchers, and it was proven in a short time that the researchers were an indispensable resource for DoD. VDP continues to thrive today as it works in partnership with the researchers, the website/system owners and the Joint Force Headquarters Department of Defense Information Network. I look forward to seeing where VDP heads during the next five years.”

In January 2021, the DoD VDP scope was officially expanded from public facing websites to all publicly accessible DoD information systems. The VDP is codified as the single point of processing all vulnerability reporting for Joint Force Headquarters DoDIN and U.S. Cyber Command, broadening the protection for the DOD attack surface and safe harbor for researchers, while providing more asset and technology security.

In April this year, VDP launched a 12-month Defense Industrial Base (DIB)-VDP Pilot in collaboration with Defense Counterintelligence and Security Agency (DCSA) and DC3 DCISE, to apply the five years of lessons learned to the Defense Industrial Base (DIB). The DIB VDP pilot provides free vulnerability disclosure to the voluntary DIB company participant’s publicly accessible information systems, networks and applications they place in scope for the researcher community.

“As the Federal government’s first, longest running and largest Vulnerability Disclosure Program (VDP), we are happy to share our five years of lessons learned when called upon to advise others as they establish their burgeoning programs,” said Vice. “A whole-of-government approach to improved cyber hygiene and supply chain risk mitigation is best for everyone.”

Learn more about VDP online at https://www.dc3.mil/Organizations/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/ or follow on Twitter at https://twitter.com/DC3VDP.