Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

DOD Expands Vulnerability Disclosure Program to Web-Facing Targets

The United States Department of Defense this week announced an expansion of the scope of its vulnerability disclosure program to include all of its publicly accessible information systems.

The United States Department of Defense this week announced an expansion of the scope of its vulnerability disclosure program to include all of its publicly accessible information systems.

The program has been running on HackerOne since 2016 when the DOD’s Hack the Pentagon initiative was launched and provides security researchers with means to engage with the DOD when they identify vulnerabilities in the department’s public-facing websites and applications.


As part of the expanded scope, vulnerability hunters can probe all of DOD’s publicly-accessible networks, along with industrial control systems, frequency-based communication, and Internet of Things assets, among others.


“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD,” Brett Goldstein, the director of the Defense Digital Service, said.


The bug bounty program is monitored by the DOD Cyber Crime Center and has received more than 29,000 vulnerability reports since its inception in 2016. More than 70% of these reports were found to be valid, the DOD says.


As hackers begin to identify vulnerabilities that could not be reported before, DOD expects to see a sharp increase in the number of submissions.


The expansion comes roughly one month after DOD launched the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot on HackerOne, seeking to identify vulnerabilities in participating DoD contractors’ assets.


Related: NSA Publishes Cybersecurity Year in Review Report


Related: GAO Criticizes Pentagon Over Cyber Hygiene Efforts

Related: U.S. Gov Announces ‘Hack the Army 3.0’ Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...