Article Details
Scrape Timestamp (UTC): 2024-03-19 21:17:52.075
Original Article Text
Click to Toggle View
US Defense Dept received 50,000 vulnerability reports since 2016. The Cyber Crime Center (DC3) of the U.S. Department of Defense says it has reached the milestone of processing its 50,000th vulnerability report submitted by 5,635 researchers since its inception in November 2016. The federal agency launched its Vulnerability Disclosure Program (VDP) 7.5 years ago following a bug bounty event called 'Hack-the-Pentagon,' to engage crowd-sourced vulnerability reports that could help bolster its cyber defenses. "Unlike short-duration bug bounties, VDP's crowd-sourced ethical hackers report vulnerabilities continuously as part of a defense-in-depth approach," reads DC3's announcement. "Through its function as the focal point for receiving vulnerability reports, DC3 VDP continues to contribute significantly to DoD's overall security." In 2018, the program introduced an automated tracking and processing system for the submitted reports, greatly improving the framework's efficiency as well as the experience ethical hackers got from their involvement. Over time, VDP expanded its scope to include vulnerabilities in all publicly accessible IT assets, websites, and applications owned and operated by the Joint Force Headquarters DoD Information Network. In 2021, DC3 and the Defense Counterintelligence and Security Agency worked together in a special 12-month program that led to discovering and mitigating 400 significant security flaws, saving taxpayers a reported $61 million. Regarding VDP's success in 2023, though the agency has not released its annual report yet, based on the fact that it announced reaching the 45,000 flaw reports milestone exactly a year ago, it can be deduced that 5,000 reports were processed last year. That's lower than the 7,349 vulnerabilities reported in 2022, 8% of which critical, but it remains a significant contribution nonetheless. DoD's bug bounty program on HackerOne shows that the agency has resolved over 27,000 issues in total, while receiving 1,231 reports in the last 90 days. Currently, VDP's program on HackerOne defines the scope as all "publicly accessible information systems, web property, or data owned, operated, or controlled by DoD." Ethical hackers interested in contributing to the DoD cybersecurity through VDP may check all the guidelines here.
Daily Brief Summary
The U.S. Department of Defense's Cyber Crime Center (DC3) has processed 50,000 vulnerability reports since launching its Vulnerability Disclosure Program (VDP) in November 2016.
The VDP, which began after a successful 'Hack-the-Pentagon' bug bounty event, differs from typical bug bounties by allowing continuous reporting from ethical hackers.
In 2018, the DC3 implemented an automated system to track and process vulnerability reports, enhancing both efficiency and hacker participation.
The scope of VDP has expanded to cover all publicly accessible Defense Department IT assets, leading to the discovery and mitigation of 400 significant flaws in a 12-month program in 2021, reportedly saving $61 million in taxpayer funds.
Though the annual report for 2023 is not yet released, it is estimated that 5,000 flaws were processed last year, based on the previous year's reports.
The DoD's bug bounty program on HackerOne has seen over 27,000 issues resolved, with 1,231 reports received in the last 90 days.
Ethical hackers looking to contribute to the DoD's cybersecurity can find participation guidelines on the VDP's HackerOne page.