DOD Expands Vulnerability Disclosure Program to Web-Facing Targets

The United States Department of Defense this week announced an expansion of the scope of its vulnerability disclosure program to include all of its publicly accessible information systems.


The program has been running on HackerOne since 2016 when the DOD’s Hack the Pentagon initiative was launched and provides security researchers with means to engage with the DOD when they identify vulnerabilities in the department’s public-facing websites and applications.

As part of the expanded scope, vulnerability hunters can probe all of DOD’s publicly-accessible networks, along with industrial control systems, frequency-based communication, and Internet of Things assets, among others.

"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," Brett Goldstein, the director of the Defense Digital Service, said.

The bug bounty program is monitored by the DOD Cyber Crime Center and has received more than 29,000 vulnerability reports since its inception in 2016. More than 70% of these reports were found to be valid, the DOD says.

As hackers begin to identify vulnerabilities that could not be reported before, DOD expects to see a sharp increase in the number of submissions.

The expansion comes roughly one month after DOD launched the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot on HackerOne, seeking to identify vulnerabilities in participating DoD contractors’ assets.

Related: NSA Publishes Cybersecurity Year in Review Report

Related: expands vulnerability disclosure program facing targets