End of the 12-month Defense Industrial Base Vulnerability Disclosure Pilot Program

The Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot reaches the one-year milestone and concludes at the end of April.

The 12-month pilot, launched in April 2021, was adopted to promote cybersecurity hygiene and reduce the attack surface of voluntary DIB participants by discovering and remediating vulnerabilities on publicly accessible assets.

The pilot project was established collaboratively by the DoD Cyber ​​Crime Center (DC3) DoD Vulnerability Disclosure Program (VDP), DoD DIB Collaborative Information Sharing Environment (DCISE) and the Defense Counterintelligence and Security Agency (DCSA), as a benefit free for DIB volunteer participants.

Melissa Vice, Acting Director, VDP, said the existence of the DIB-VDP pilot stems from a desire to leverage five years of lessons learned by the DoD VDP for DIB companies, based on the recommendation of the DIB-VDP Feasibility from the Carnegie Mellon University Software Engineering Institute. Study.

“DC3’s DoD VDP has long recognized the benefits of using outsourced ethical hackers to add defense-in-depth protection to DoD Information Networks (DoDINs),” Vice said. “The pilot project was designed to identify whether similar critical and high-severity vulnerabilities existed on small to medium-sized, cleared and uncleared DIB Company assets with potential risks to critical infrastructure and the U.S. supply chain. .”

Vice noted that when comparing the monthly results of its VDP Bug Bytes and DIB-VDP Pilot Myte Bytes reports, similar trends emerged. Analysis of the DIB Vulnerability Reporting Management Network (VRMN) will take place at the end of the pilot to document lessons learned from the DIB-VDP pilot and inform the way forward for a funded program.

View monthly reports online at https://www.dc3.mil/Organizations/Vulnerability-Disclosure/VDP-Bug-Bytes/ and https://www.dc3.mil/Organizations/Vulnerability-Disclosure/DIB-VDP- Pilot/DIB-VDP-Pilot-Myte-Byte/.

The DIB-VDP pilot was launched with 14 voluntary participating companies and 141 assets concerned. The feasibility study included 20 DIB companies; however, interest was so strong that the pilot was expanded to admit 41 companies with 348 active over the past year. There were 288 HackerOne cybersecurity researchers who submitted 1,015 all-time reports, with 401 validated as actionable reports for remediation by DIB system owners.

“The initiative and teamwork between VDP, DCISE, DCSA and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes about the continued commitment of DC3 and partner agencies to finding new avenues to better support their customers and the DoD’s cyber strategy,” said Joshua Black, Acting Executive Director, DC3.

According to Ashley Smith, Head of Cyber ​​Threat Analysis, DCSA; DCSA’s ability to partner with DCISE and DC3’s DoD VDP team has provided critical victories against the adversary where cybersecurity and counterintelligence intersect.

“DCSA looks forward to working with both groups moving forward as we evaluate the potential to establish a permanent program,” said Smith.

Since the establishment of VDPs in 2016, a key factor in its success has been the establishment of a DoD policy, approved by the Department of Justice, providing guidance and limits by which hackers “good could engage in vulnerability research without fear of federal prosecution. HackerOne is the DoD’s primary source of vulnerability reports and is responsible for verifying and registering VDP cybersecurity researchers.

DC3 VDP’s in-house team of cyber analysts validate, triage, and address the mitigation of vulnerabilities reported by HackerOne researchers to provide layered defense-in-depth and reduce the attack surface of the information networks of the DoD.

Since 2016, VDP has received over 40,000 vulnerability reports, discovered by over 3,200 outsourced cybersecurity researchers in 45 countries, resulting in approximately 70% of vulnerabilities being validated as exploitable and processed for remediation by DODIN components.

“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said HackerOne co-founder and chief technology officer, Alex Rice. “With CISA now mandating the disclosure of vulnerabilities to government agencies and federal contractors, the DIB-VDP takes the practice a step further by demonstrating the effectiveness of VDPs in the real world. We should all be grateful to the DoD for creating this innovative operating model, proving it works effectively at scale, and then making it available to other organizations to replicate.

Learn more about DC3

Ryan H. Bowman