DOD Expands Bug Bounty Program for Ethical Hackers
The Department of Defense has expanded its Vulnerability Disclosure Program and allowed white hat hackers to target all of the department’s publicly accessible information systems.
Ethical hackers were originally limited to the Pentagon’s public-facing websites. They may now also research and report vulnerabilities related to frequency-based communication, the internet of things, industrial control systems and more, Defense .gov reported Tuesday.
“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” said Kristopher Johnson, director of the DOD Cyber Crime Center, which oversees the program.
The new effort was based on the 2016 “Hack the Pentagon” initiative, which enabled the Defense Digital Service to engage with hackers through a bug bounty program.
DDS Director Brett Goldstein said hackers who spot vulnerabilities did not have a way to interact with the Pentagon prior to the 2016 project, leading to many exploits remaining unreported.
Goldstein said the VDP’s expansion demonstrates the DOD’s commitment to making leaps in modernization and transforming the government’s approach to security.
According to bug bounty platform HackerOne, DOD uses the information submitted to the VDP for defensive purposes and not for the development of offensive tools or capabilities.
Hackers have reportedly submitted more than 29,000 vulnerability reports, 70 percent of which were valid, since the VDP’s launch in 2016.
DOD investigates every disclosure seriously and works to ensure that appropriate steps are taken to mitigate all vulnerabilities, HackerOne said.
Johnson said he expects the number to drastically increase as security researchers may now discover and report vulnerabilities in previously inaccessible domains.
Tags: bug bounty Cyber Crime Center cybersecurity Defense Digital Service Defense.gov Department of Defense ethical hacker hacker HackerOne industrial control system IoT Kristopher Johnson vulnerability disclosure program