The US Department of Defense (DoD) on Monday announced the conclusion of a 12-month pilot Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) aimed at finding flaws in contractor networks.
The pilot initiative was established by the DoD Cyber Crime Center (DC3) in collaboration with the Defense Counterintelligence and Security Agency (DCSA) and DoD DIB Collaborative Information Sharing Environment (DCISE).
Run in collaboration with hacker-powered bug hunting platform HackerOne – DoD’s primary source of vulnerability reporting – the program focused on identifying security holes in publicly accessible assets of voluntary DIB participants and concluded with a total of 401 reported vulnerabilities being validated.
While it kicked off with 14 voluntary participants and 141 assets in scope, the DIB-VDP pilot expanded over the course of the year to a total of 41 companies and 348 assets.
A total of 288 HackerOne cybersecurity researchers hunted for bugs as part of the pilot and submitted 1,015 all-time reports, the DoD says.
“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” DC3 acting executive director Joshua Black said.
DoD kicked off its VDPs in 2016 and has since received over 40,000 vulnerability reports from more than 3,200 cybersecurity researchers in 45 countries. Roughly 70% of the security bugs were validated as actionable.
While HackerOne is responsible for vetting and registering bug hunters, DC3 VDP’s internal cyber analyst team is in charge of the validation and triaging of vulnerabilities, as well as the processing of mitigations.
“With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world,” HackerOne co-founder and chief technology officer Alex Rice said.