50,000 Vulnerability Reports: How DC3’s Vulnerability Disclosure Program Got Here
Linthicum Heights, Md. – The Department of Defense (DoD) Cyber Crime Center (DC3) Vulnerability Disclosure Program (VDP) has processed its 50,000th report. The enduring program was launched in November 2016 following the successful Hack-the-Pentagon bug bounty event.
Unlike short-duration bug bounties, VDP’s crowd-sourced ethical hackers report vulnerabilities continuously as part of a defense-in-depth approach. Through its function as the focal point for receiving vulnerability reports, DC3 VDP continues to contribute significantly to DoD’s overall security.
In the summer of 2018, VDP introduced the system known as the Vulnerability Report Management Network, which began service to automate, track, and process all reporting, creating a much more efficient process. The program’s advancement has enabled VDP to expand their mitigative scope to not only process findings on DoD websites and applications, but to include all publicly accessible and/or available information technology assets owned and operated by the Joint Force Headquarters DoD Information Network.
Beginning in 2021, DC3 and the Defense Counterintelligence and Security Agency partnered to create the 12-month DIB-VDP Pilot. The pilot saved taxpayers an estimated $61 million by discovering and remediating more than 400 active vulnerabilities and Controlled Unclassified Information exfiltration threats by adversaries on DIB participants’ public-facing assets. The DIB-VDP team leveraged low-cost, crowdsourced ethical hackers and processed 1,019 vulnerability reports to keep the small to medium participant DIB companies (DIBCOs) secured from identified threats.
For its efforts throughout the 2022 Defense Industrial Base-VDP Pilot, DC3 earned the prestigious DoD Chief Information Officer Annual Award. “This proof-of-concept pilot provided world-class velocity and agility, ensuring voluntary DIBCO participants were protected, based on the same DoD VDP’s successful seven-year benchmark for all government organizations to follow as recognized by industry, federal government, academia, and Five Eyes partners, and as the leaders in vulnerability discovery and management codified in DODI 8531.01,” DC3 VDP Director Melissa explains.
“The success of the DC3 VDP is a powerful example of how a strong relationship with the global ethical hacker community translates to the consistent strengthening of cyber defenses,” adds Alex Rice, Founder and CTO of HackerOne. “As proud partners, we look forward to continued collaboration as ethical hackers work to further strengthen national security.”
Through innovative and proactive efforts, VDP has worked with HackerOne to lean into the global hacker community and solidify the program’s framework and relationships both domestically and around the world. DC3 has positioned itself to take on that challenge by cultivating trust and clout with the global ethical hacker community as well as by building and maturing partnerships as part of DC3’s overall strategy.
This is a repost of the Department of Defense Cyber Crime Center's press release.