The US Department of Defense (DoD) on Monday announced the conclusion of a 12-month pilot Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) aimed at finding flaws in contractor networks.
The pilot initiative was established by the DoD Cyber Crime Center (DC3) in collaboration with the Defense Counterintelligence and Security Agency (DCSA) and DoD DIB Collaborative Information Sharing Environment (DCISE).
Run in collaboration with hacker-powered bug hunting platform HackerOne – DoD’s primary source of vulnerability reporting – the program focused on identifying security holes in publicly accessible assets of voluntary DIB participants and concluded with a total of 401 reported vulnerabilities being validated.
While it kicked off with 14 voluntary participants and 141 assets in scope, the DIB-VDP pilot expanded over the course of the year to a total of 41 companies and 348 assets.
A total of 288 HackerOne cybersecurity researchers hunted for bugs as part of the pilot and submitted 1,015 all-time reports, the DoD says.
[ READ: CISA Announces Vulnerability Disclosure Policy Platform ]
“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” DC3 acting executive director Joshua Black said.
DoD kicked off its VDPs in 2016 and has since received over 40,000 vulnerability reports from more than 3,200 cybersecurity researchers in 45 countries. Roughly 70% of the security bugs were validated as actionable.
While HackerOne is responsible for vetting and registering bug hunters, DC3 VDP’s internal cyber analyst team is in charge of the validation and triaging of vulnerabilities, as well as the processing of mitigations.
“With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world,” HackerOne co-founder and chief technology officer Alex Rice said.
Related: US DoD Launches Vuln Disclosure Program for Contractor Networks
Related: DOD Expands Vulnerability Disclosure Program to Web-Facing Targets
More from Ionut Arghire
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
Latest News
- Russian Millionaire on Trial in Hack, Insider Trade Scheme
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
