DoD networks, IoT devices, and industrial control systems now in play

US Department of Defense expands vulnerability disclosure program

The US Department of Defense (DoD) has expanded its security vulnerability disclosure program (VDP) beyond its public-facing websites and web applications to encompass all publicly accessible information systems.

That brings into scope all public-facing DoD networks, frequency-based communication platforms, IoT devices, and industrial control systems, among other technologies, the DoD announced yesterday (May 4).

“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within” the DoD, said Brett Goldstein, director of the Defense Digital Service, which is tasked with improving technology in use across the DoD.

Catch up on the latest bug bounty news

Bug hunters have submitted more than 29,000 security vulnerability reports to the VDP – 70% of which were deemed valid – since its 2016 launch on HackerOne.

Kristopher Johnson, director of the DoD Cyber Crime Center (DC3), which oversees the DoD VDP, expects this number to expand along with the in-scope attack surface, an expansion he says the DoD has long envisaged.

“The department has always maintained the perspective that DoD websites were only the beginning as they account for a fraction of our overall attack surface,” he said.

The US operations center for Exercise Locked Shields 2021, the world's largest cyber defense exerciseThe US operations center for Exercise Locked Shields 2021, the 30-nation cyber defense exercise

‘Huge news’

Responding on Twitter, Jack Cable, who works as a hacker at the Defense Digital Service, hailed the development as “huge news. First vulnerability disclosure policy I'm aware of that goes beyond web systems to anything publicly accessible such as ‘frequency-based communication, Internet of Things, industrial control systems’”.

The DoD’s VDP was born out of its 2016 ‘Hack the Pentagon’ pilot initiative, an invite-only, time-limited bug bounty program that has since spawned equivalent programs for the US Army, Air Force, Marine Corps, and Defense Travel System.

“The DoD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems,” said the DoD’s Goldstein.

Before the VDP was in place, the lack of vulnerability reporting mechanisms meant “many vulnerabilities went unreported”, he added.

In January, another key US defense agency, the Defense Advanced Research Projects Agency (DARPA), reported on the achievements of its Finding Exploits to Thwart Tampering (FETT) program, under which researchers from crowdsourced security platform Synack probed hardware architectures developed under DARPA’s ‘SSITH’ program.

The German armed forces (the ‘Bundeswehr’) is among few other militaries worldwide to launch a VDP, while Singapore’s Ministry of Defense has emulated the DoD’s Hack the Pentagon model with its own invite-only HackerOne bug bounty challenges.

RECOMMENDED Bug Bounty Radar // The latest bug bounty programs for May 2021