TLDR:
- The Pentagon’s Vulnerability Disclosure Program (VDP) has received over 50,000 vulnerability reports since November 2016.
- The VDP has led to the successful mitigation of over 6,000 vulnerabilities and saved taxpayer money.
The Department of Defense Cyber Crime Center (DC3) has achieved a significant milestone in cybersecurity with the processing of over 50,000 vulnerability reports since the inception of the VDP in November 2016. The VDP, established after the success of the “Hack the Pentagon” bug bounty program, has facilitated collaboration with ethical hackers from around the world through platforms like HackerOne, Bugcrowd, and Synack. This collaboration has led to the successful mitigation of over 6,000 vulnerabilities out of the 25,000 actionable reports received.
The VDP’s efficiency was enhanced with the introduction of the Vulnerability Report Management Network, automating the tracking and processing of reports. The program has expanded its reach to cover a wider range of DoD assets, including all publicly accessible information technology assets operated by the Joint Force Headquarters DoD Information Network. Through the DIB-VDP Pilot, the program has also extended its reach to the Defense Industrial Base, helping secure small to medium-sized participant companies from identified threats.
The success of the VDP has not only strengthened the Pentagon’s cyber defenses but has also saved taxpayer money. In 2021, a bug bounty program aimed at contractor networks addressed over 1,000 vulnerabilities, resulting in an estimated savings of $61 million. The VDP has become a model for other government organizations, showcasing the benefits of crowdsourced cybersecurity in consistently strengthening cyber defenses. As cyber threats continue to evolve, the VDP remains a critical component of the Pentagon’s defense-in-depth strategy to ensure the security and mission assurance of the United States’ defense information networks.