U.S. Defense Announced an Expansion of its Vulnerability Disclosure Program


The US Department of Defense reported this week that its vulnerability disclosure initiative would be expanded to cover all of its publicly available information systems.

The software has been operating on HackerOne since 2016, when the Department of Defense initiated its Hack the Pentagon campaign, and it allows security researchers to communicate with the DOD when they find flaws in the department’s public-facing websites and applications.

Vulnerability hunters can now probe all of DOD’s publicly available networks, as well as industrial control systems, frequency-based communication, and Internet of Things assets, among other things, as part of the expanded reach.

“This expansion demonstrates how the government is changing its approach to security and how DOD is leapfrogging the existing state of technology,” said Brett Goldstein, director of the Defense Digital Service.

The DOD Cyber Crime Center oversees the bug bounty scheme, which has received over 29,000 vulnerability reports since its launch in 2016. According to the Department of Defense, more than 70% of these findings were found to be accurate.

DOD predicts a significant rise in the number of submissions as hackers discover bugs that were previously unreported.

The expansion comes around a month after the Department of Defense (DoD) launched the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot on HackerOne, with the aim of identifying vulnerabilities in DoD contractors’ assets.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.