The US Department of Defense (DoD) has expanded its Vulnerability Disclosure Program (VDP) to include all publicly accessible DoD websites and systems.
The VDP is run by the Department of Defense Cyber Crime Center (DC3) to enable security researchers to report vulnerabilities on the DoD Information Network (DoDIN) to improve network defense.
The expansion announced today allows for research and reporting of vulnerabilities related to all DOD publicly accessible networks, frequency-based communication, internet of things (IoT), and industrial control systems, according to Brett Goldstein, the director of the Defense Digital Service. Originally, the program was limited to DoD public-facing websites and applications.
"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," he said.
Before the program’s launch, researchers had no way of reporting bugs they found in publicly accessible DoD systems.
“Because of this, many vulnerabilities went unreported," said Goldstein. "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."
Since the launch of the Vulnerability Disclosure Program, security researchers have submitted over 29,000 vulnerability reports. Officials said that over 70% of them were determined to be valid.
Experts believe the expansion will lead to a massive increase in the number of bugs reported to them.
"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," said DOD Cyber Crime Center director Kristopher Johnson.
In April, the DoD Cyber Crime Center unveiled a 12-month Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot to enable security researchers to report flaws in DoD contractor partner’s information systems, web properties, and other identified scoped assets. The 12-month program aspires to employ the lessons learned from existing reports made through the Pentagon’s Vulnerability Disclosure Program.
“The expansion of vulnerability research to participating DoD contractor networks replicates the DoD’s’ success by making participating DoD contractor networks available for vulnerability research,” said the DoD's Cyber Crime Center on its HackerOne webpage. “No technology is perfect, but DC3 believes that working with skilled security researchers across the globe is crucial to identifying their weaknesses.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
IDC warns US tariffs will impact tech sector spendingNews IDC has warned that the US government's sweeping tariffs could cut global IT spending in half over the next six months.
-
US government urged to overhaul outdated technologyNews A review from the US Government Accountability Office (GAO) has found legacy technology and outdated IT systems are negatively impacting efficiency.
-
US proposes new ‘know-your-customer’ restrictions on cloud providersNews The US aims to stifle Chinese AI competition with new restrictions on cloud providers to verify foreign data center users
-
SEC passes rules compelling US public companies to report data breaches within four daysNews Foreign entities trading publicly in the US will also be held to comparative standards
-
US says National Cybersecurity Strategy will focus on market resilience and private partnershipsNews The recently announced implementation plans alow for more aggressive action against ransomware gangs
-
US ‘Tech Hubs’ drive aims to boost innovation in American heartlandsNews The development of the hubs will could help drive regional innovation and support for tech companies
-
Offensive Security bans use of ChatGPT in cyber security certification examsNews It becomes the second major IT organisation to ban the use of the powerful tool that's taken the industry by storm
-
Biden sets June deadline for $42 billion broadband funding outlineNews The announced deadline come prior to a much-awaited update to the FCC's US broadband map, giving a clearer image of the internet challenges facing the nation
