The US Department of Defense expands the scope of its vulnerability disclosure program to all publicly accessible information systems.
From now on, the DoD’s bug bounty program will include not just websites but also networks, frequency-based communication, industrial control systems, and most notable, the Internet of Things (IoT) devices and networks.
Director of the Defense Digital Service Brett Goldstein commented the DoD’s bug bounty “allows for research and reporting of vulnerabilities related to all DoD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more”, according to a DoD press release.
The DoD’s bug bounty program is overseen by the US Department of Defense’s Cyber Crime Center (DC3). It’s a big step forward since the initial “Hack the Pentagon” pilot in 2016 who was the first dice for the DoD into the bug hunting scene which it did in partnership with HackerOne. At the time, hackers were restricted to trying only DoD’s public-facing websites and apps.
“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DoD,” said Goldstein.
Since the inception of the bug bounty program, the DoD received over 29,000 vulnerability reports from hackers with more than 70% of them proven later to be valid bugs.
Last month, the DC3 announced a new bug bounty pilot, the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP). Its aim is to boost specifically the security of defense contractors. It was probed by the Carnegie Mellon University Software Engineering Institute that in 2020, conducted a feasibility study and recommended that the pilot program proceeds.
“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” said DC3 director Kristopher Johnson.
The number of bug reports the DoD receives is expected to drastically increase due to the expanded scope of the program.