Us Defense Dept Received 50 000 Vulnerability Reports Since 2016
The Cyber Crime Center (DC3) of the U.S. Department of Defense says it has reached the milestone of processing its 50,000th vulnerability report submitted by 5,635 researchers since its inception in November 2016.
The federal agency launched its Vulnerability Disclosure Program (VDP) 7.5 years ago following a bug bounty event called ‘Hack-the-Pentagon,’ to engage crowd-sourced vulnerability reports that could help bolster its cyber defenses.
“Unlike short-duration bug bounties, VDP’s crowd-sourced ethical hackers report vulnerabilities continuously as part of a defense-in-depth approach,” reads DC3’s announcement.
“Through its function as the focal point for receiving vulnerability reports, DC3 VDP continues to contribute significantly to DoD’s overall security.”
In 2018, the program introduced an automated tracking and processing system for the submitted reports, greatly improving the framework’s efficiency as well as the experience ethical hackers got from their involvement.
Over time, VDP expanded its scope to include vulnerabilities in all publicly accessible IT assets, websites, and applications owned and operated by the Joint Force Headquarters DoD Information Network.
In 2021, DC3 and the Defense Counterintelligence and Security Agency worked together in a special 12-month program that led to discovering and mitigating 400 significant security flaws, saving taxpayers a reported $61 million.
Regarding VDP’s success in 2023, though the agency has not released its annual report yet, based on the fact that it announced reaching the 45,000 flaw reports milestone exactly a year ago, it can be deduced that 5,000 reports were processed last year.
That’s lower than the 7,349 vulnerabilities reported in 2022, 8% of which critical, but it remains a significant contribution nonetheless.
DoD’s bug bounty program on HackerOne shows that the agency has resolved over 27,000 issues in total, while receiving 1,231 reports in the last 90 days.
Currently, VDP’s program on HackerOne defines the scope as all “publicly accessible information systems, web property, or data owned, operated, or controlled by DoD.”
Ethical hackers interested in contributing to the DoD cybersecurity through VDP may check all the guidelines here.