The Defense Department’s vulnerability disclosure program (VDP) has yielded 2,837 security flaws in the nearly one year since its inception.
While a bounty or cash incentives are not awarded for vulnerabilities reported through the VDP, that has not stopped hackers eager to do their part to help protect the DoD’s assets, HackerOne, which runs the program, said in a blog post. The company called the VDP, “the ‘see something, say something of the internet.’”
Implemented just after the agency introduced its successful Hack the Pentagon bug bounty program, the initiative, spearheaded by the department’s Defense Digital team, has unearthed more than 100 vulnerabilities deemed critical and has attracted about 650 white hat hackers from more than 50 countries who have scoured the Defense Department’s public-facing websites for flaws. HackerOne said that, in addition to the United States, India, Russia, the U.K., France, Pakistan, Canada, the Philippines, Egypt and Australia are the top flaw-reporting countries to date.
Under Hack the Pentagon, the Defense Department “has resolved nearly 500 vulnerabilities in public facing systems with bug bounty challenges,” yielding hackers more than $300,000 in bounties, “and saving the DoD millions of dollars,” HackerOne noted.
The woman who spearheaded development of the Department of Defense’s “Hack the Pentagon” bug bounty program recommended last summer that all federal agencies looking to implement a similar initiative do so under one single umbrella program.
“If we were in a position as a government to have one consolidated organization that could do such a thing, it would make great sense. I think that’s absolutely the world in which we’re moving, said Lisa Wiswell, former digital security lead with the DoD, at DEF CON 25.