Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

DoD Announces Results of Vulnerability Disclosure Program for Defense Contractors

The US Department of Defense (DoD) on Monday announced the conclusion of a 12-month pilot Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) aimed at finding flaws in contractor networks.

The US Department of Defense (DoD) on Monday announced the conclusion of a 12-month pilot Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) aimed at finding flaws in contractor networks.

The pilot initiative was established by the DoD Cyber Crime Center (DC3) in collaboration with the Defense Counterintelligence and Security Agency (DCSA) and DoD DIB Collaborative Information Sharing Environment (DCISE).

Run in collaboration with hacker-powered bug hunting platform HackerOne – DoD’s primary source of vulnerability reporting – the program focused on identifying security holes in publicly accessible assets of voluntary DIB participants and concluded with a total of 401 reported vulnerabilities being validated.

While it kicked off with 14 voluntary participants and 141 assets in scope, the DIB-VDP pilot expanded over the course of the year to a total of 41 companies and 348 assets.

A total of 288 HackerOne cybersecurity researchers hunted for bugs as part of the pilot and submitted 1,015 all-time reports, the DoD says.

[ READ: CISA Announces Vulnerability Disclosure Policy Platform ]

“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” DC3 acting executive director Joshua Black said.

DoD kicked off its VDPs in 2016 and has since received over 40,000 vulnerability reports from more than 3,200 cybersecurity researchers in 45 countries. Roughly 70% of the security bugs were validated as actionable.

While HackerOne is responsible for vetting and registering bug hunters, DC3 VDP’s internal cyber analyst team is in charge of the validation and triaging of vulnerabilities, as well as the processing of mitigations.

“With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world,” HackerOne co-founder and chief technology officer Alex Rice said.

Related: US DoD Launches Vuln Disclosure Program for Contractor Networks

Related: DOD Expands Vulnerability Disclosure Program to Web-Facing Targets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.