Cyber

DOD expands vulnerability disclosure program to contracting base in pilot

Forty-one defense contractors in the small-to-medium-size range participated in a vulnerability disclosure pilot that resulted in 1,015 reports, of which 401 were validated by system owners for remediation.

By Billy Mitchell

May 2, 2022

(Getty Images)

Much like the Department of Defense has increasingly looked to white-hat ethical hackers to seek out vulnerabilities in its systems over the past five years, the department also believes those independent researchers can help in shoring up the security of the defense industrial base.

DOD’s Cyber Crime Center, in partnership with HackerOne, just concluded a yearlong Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) Pilot in which it invited members of the defense industrial base to accept vulnerability disclosures on the public-facing systems. The Defense Counterintelligence and Security Agency also assisted in the pilot.

In total, 41 small- and medium-sized defense contractors participated in the pilot, and researchers submitted 1,015 reports, of which 401 were validated by system owners for remediation.

The department’s vulnerability disclosure program, well-known for its Hack the Pentagon bug bounty initiatives, “has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks (DoDIN),” Melissa Vice, interim director of the program, said in a statement Monday. This pilot, she added, “intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain.”

The pilot and its results come as the spotlight has been increasingly shined on the defense industrial base as an infiltration point for malicious actors into the DOD’s networks, especially with heightened threats from nation-states like China and Russia.

This concern has led to a greater focus on the cybersecurity of the more than 300,000 DOD contractors through the Cybersecurity Maturity Model Certification (CMMC) program, which in its latest form requires many DIB partners to achieve a cybersecurity certification to be able to do work with the DOD and its controlled unclassified information.

“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said Alex Rice, HackerOne co-founder and chief technology officer. The “DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world. We should all be thankful to DoD for creating this innovative operating model, proving its effective operation at scale, and then making it available for other organizations to replicate.”

Since its founding in 2016, the Pentagon’s vulnerability disclosure program has received more than 40,000 vulnerability reports that were discovered by more than 3,200 cybersecurity researchers in 45 countries. Of those reports, approximately 70 percent of vulnerabilities have been validated as actionable and processed for remediation by the DOD.

Next steps, Vice says, are to examine the findings of the pilot and use them to inform the possibility of a funded program.