Pentagon’s Digital Vulnerability Hunt Exposes Flaws in Contractors’ Systems

A private research team hired by the Department of Defense to identify digital vulnerabilities among contractors found hundreds of flaws over the course of its one-year investigation, an official at the Pentagon’s Cyber Crimes Center revealed. Melissa Vice, chief operations officer at the vulnerability disclosure program, said the digital bug hunt “discovered some 400 issues across dozens of companies,” C4ISRNET reported Wednesday.

Cybersecurity company HackerOne was chosen to carry out the hunt for vulnerabilities. Vice said that her office has long recognized the benefits of employing crowdsourced ethical hackers to add defense-in-depth protection to the DOD’s information networks.

The DOD official said the pilot was intended to identify whether critical and high-severity vulnerabilities existed on small-to-medium cleared and non-cleared defense industrial base companies. She added that of particular interest were firms whose operations could potentially endanger critical infrastructure and the American supply chain.

Vice expressed alarm over the findings because the companies that were tested constituted only a small fraction of the DOD’s pool of private-sector contractors. She did not disclose the companies that were found to have digital vulnerabilities.

For his part, Alex Rice, the co-founder and chief technology officer of HackerOne, said while every organization should prioritize securing their software supply chain, it is even more critical for federal agencies that protect national security. He said that HackerOne is currently the DOD’s primary source for vulnerability testing.

Meanwhile, the DOD Cyber Crime Center said penetration and vulnerability testing will continue because it improves network defenses and promotes proactive cyber management.