US DoD Launches Vuln Disclosure Program for Contractor Networks

The United States Department of Defense (DoD) this week announced the launch of a new vulnerability disclosure program on HackerOne to identify vulnerabilities in Defense Industrial Base (DIB) contractor networks.

Running as a pilot, the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) covers participating DoD contractor partner’s information systems and web properties, as well as other assets within scope, and is separate from the DoD vulnerability disclosure program that already runs on HackerOne.

As part of the DIB-VDP Pilot, DoD invites the HackerOne community to remotely test the participating DoD contractors’ assets and report on any identified vulnerabilities.

Interested researchers, however, are prohibited from doing any harm to the vulnerable systems, from accessing or exfiltrating data, from compromising the privacy or safety of DoD or the contractor, as well as from sharing any information with third parties.

“Any information submitted to the DIB-VDP under this program will be used for defensive purposes – to mitigate or remediate vulnerabilities in DoD contractor information systems, networks, or applications. This research is not contributing to offensive tools or capabilities,” the program’s policy reads.

Researchers looking to participate are encouraged to read the provided guidelines and glance over the assets that are within scope of the program, as well as over the rest of the terms and conditions of the DIB-VDP.

The DIB-VDP Pilot is a voluntary event that will run for 12 months.  

Related: U.S. Gov Announces ‘Hack the Army 3.0’ Bug Bounty Program

Related: HackerOne Paid Out Over $107 Million in Bug Bounties

Related: Hackers Earn $275,000 for Vulns in U.S. Army Systems