|
Linthicum Heights, Md. – The Department of Defense’s (DoD) Vulnerability Disclosure Program (VDP) operates as a functional directorate within the DoD Cyber Crime Center (DC3). VDP began in 2016 with two missions: to serve as the focal point for facilitating vulnerability reports and to interact with crowd-sourced cybersecurity researchers supporting the Department of Defense Information Network (DoDIN). In February 2023, the program processed its 45,000th report – a historic milestone. Much of the program’s success is credited to partner engagement, both internally within the DoD, as well as externally with the greater researcher community.
VDP began as an extension of the “Hack the Pentagon” project run by the predecessor to today’s DoD Directorate for Digital Services (DDS). At the time, VDP partnered with Joint Force Headquarters-DoDIN (JFHQ-DoDIN) to manually process all valid reports received from the researcher community. It wasn’t until the summer of 2018 that the system known as the Vulnerability Report Management Network (VRMN) began production service to automate, track, and process all reporting, creating a much more efficient process. Since then, the VDP reporting process has matured to include selection of a report of the month, a report of the year, publication of a monthly “Bug Bytes” report, and an annual report.
The advancement of the program has enabled VDP to expand their mitigative scope to not only process findings on DoD websites and applications, but to include all publicly accessible and/or available information technology assets owned and operated by the JFHQ-DODIN network.
In April 2021, the DoD launched a twelve-month Defense Industrial Base VDP (DIB-VDP) pilot as a collaborative endeavor to promote cyber hygiene and reduce the attack surface of voluntary DIB participants. This pilot was centralized on discovering and remediating vulnerabilities on publicly accessible assets of the DIB participants. VDP’s participation in the pilot program earned an award during the 2022 DoD Chief Information Officer Awards program. The award recognized VDP’s coordinated remediation of more than 400 actionable vulnerabilities found on participants’ public-facing assets, which saved the DIB an estimated $61 million. During the pilot program, HackerOne’s global ethical researcher community submitted over 1,000 vulnerability reports, further showcasing public-private cooperation.
Looking to the future, VDP has begun preparing for the next phase in cybersecurity. Through expansion of global outreach with industry, academia, research communities, and technical innovators, they are moving the ball forward on hardening the cybersecurity of the DoD networks and infrastructure. Most recently, VDP is looking at much of their specific vulnerability findings to determine how they tie into the software supply chain risk, mitigation management, and the potential for implementation of software bill of materials (SBOM) to help track these issue types. VDP researchers are focusing on mobile application misconfigurations, deep diving into vulnerabilities in critical infrastructure, and seeking ways to leverage collected DoD data. Moving forward, consistency is leading to more growth and production. VDP will continue to find new opportunities to bring cybersecurity offensive value to the broader DoD.
|
