The Department of Defense (DoD) Cyber Crime Center (DC3) recently announced a significant milestone in its cybersecurity efforts.
The processing of over 50,000 vulnerability reports since the inception of its Vulnerability Disclosure Program (VDP) in November 2016.
This program, a pioneering initiative in the federal government, was established following the “Hack the Pentagon” bug bounty program, which demonstrated the value of crowdsourced cybersecurity.
The VDP has also fostered collaboration between the public and private sectors, exemplified by partnerships with platforms like HackerOne, Bugcrowd, and Synack.
These collaborations have facilitated the running of over 40 bug bounty programs.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
- The problem of vulnerability fatigue today
- Difference between CVSS-specific vulnerability vs risk-based vulnerability
- Evaluating vulnerabilities based on the business impact/risk
- Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
Unlike traditional bug bounties, the VDP allows for continuous reporting of potential security weaknesses in DoD’s publicly accessible information systems.
This approach has been instrumental in enhancing the cyber defenses of the Pentagon and its associated networks.
The VDP’s success is largely attributed to the collaboration with ethical hackers from around the world.
Vulnerabilities Reported
By the end of 2022, nearly 45,000 reports had been received from approximately 4,000 researchers.
Out of these, more than 25,000 were actionable, leading to the successful mitigation of over 6,000 vulnerabilities.
The program’s efficiency was significantly improved with the introduction of the Vulnerability Report Management Network in the summer of 2018, which automated the tracking and processing of reports.
This system expansion allowed the VDP to cover a wider range of DoD assets, including all publicly accessible information technology assets owned and operated by the Joint Force Headquarters DoD Information Network.
The VDP has also extended its reach to the Defense Industrial Base (DIB) through the DIB-VDP Pilot, which processed 1,019 vulnerability reports in 2022, helping to secure small to medium-sized participant companies from identified threats.
This pilot earned DC3 the prestigious DoD Chief Information Officer Annual Award for its contributions.
The Pentagon’s proactive approach to cybersecurity has not only strengthened its defenses but also saved taxpayer money.
In 2021, a 12-month bug bounty program aimed at finding flaws in contractor networks addressed over 1,000 vulnerabilities, saving an estimated $61 million.
The success of the DC3 VDP exemplifies the benefits of a strong relationship with the global ethical hacker community.
It has become a model for other government organizations to follow, showcasing how crowdsourced cybersecurity can lead to the consistent strengthening of cyber defenses.
As cyber threats continue to evolve, the DoD’s VDP remains a critical component of the Pentagon’s defense-in-depth strategy, ensuring the security and mission assurance of the United States’ defense information networks.
Since its inception in November 2016, the Pentagon’s Vulnerability Disclosure Program (VDP) has undergone significant evolution and expansion, reflecting its success and the growing recognition of the value of ethical hacking in strengthening cybersecurity.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.