12-Month DIB-VDP Pilot Concludes

The Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) Pilot reaches the one-year mark and its conclusion at the end of April.

The 12-month pilot, launched in April 2021, was enacted to promote cybersecurity hygiene and reduce the attack surface of voluntary DIB participants by discovering and remediating vulnerabilities on publicly accessible assets.

The pilot was established collaboratively by the DoD Cyber Crime Center’s (DC3) DoD Vulnerability Disclosure Program (VDP), DoD DIB Collaborative Information Sharing Environment (DCISE), and the Defense Counterintelligence and Security Agency (DCSA), as a free benefit to voluntary DIB participants.

Melissa Vice, interim director, VDP, said the DIB-VDP Pilot’s existence stems from a desire to leverage the five years of lessons learned by the DoD VDP to DIB companies, based on the recommendation from Carnegie Mellon University Software Engineering Institute’s DIB-VDP Feasibility Study.

“DC3’s DoD VDP has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks (DoDIN),” said Vice. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain.”

Vice noted that when comparing monthly findings in its VDP Bug Bytes and DIB-VDP Pilot Myte Bytes reports, similar trends have emerged. Analysis of the DIB Vulnerability Report Management Network (VRMN) will occur following the conclusion of the pilot to document the DIB-VDP pilot’s lessons learned and inform the way forward for a funded program.

View monthly reports online at https://www.dc3.mil/Organizations/Vulnerability-Disclosure/VDP-Bug-Bytes/ and https://www.dc3.mil/Organizations/Vulnerability-Disclosure/DIB-VDP-Pilot/DIB-VDP-Pilot-Myte-Byte/.

The DIB-VDP Pilot launched with 14 voluntary participant companies and 141 assets in scope. The feasibility study included 20 DIB companies; however, the interest was so strong the pilot was expanded to admit 41 companies with 348 assets during the past year. There were 288 HackerOne cybersecurity researchers who submitted 1,015 all-time reports with 401 validated as actionable reports for remediation by the DIB system owners.

“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” said Joshua Black, Acting Executive Director, DC3.

According to Ashley Smith, Chief of Cyber Threat Analysis, DCSA; DCSA’s ability to partner with DCISE and DC3’s DoD VDP team has provided critical wins against the adversary where cybersecurity and counterintelligence intersect.

“DCSA looks forward to working with both groups moving forward as we assess the potential of establishing a permanent program,” said Smith.

Since VDPs 2016 founding, a key enabler of its success was the establishment of a DoD policy, approved by the Department of Justice, providing guidance and boundaries by which the “good guy” hackers could engage in vulnerability research without fear of federal prosecution. HackerOne is DoD’s primary source for vulnerability reporting and is responsible for vetting and registering VDPs cybersecurity researchers.

DC3 VDP’s internal cyber analyst team validate, triage and process mitigation of vulnerabilities reported by HackerOne’s researchers to provide layered defense-in-depth and reduce the DoD Information Networks attack surface.

Since 2016, VDP has received more than 40,000 vulnerability reports, discovered by 3,200+ crowdsourced cybersecurity researchers in 45 countries, resulting approximately 70 percent of vulnerabilities being validated as actionable and processed for remediation by DODIN components.

“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said HackerOne co-founder and chief technology officer Alex Rice. “With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world. We should all be thankful to DoD for creating this innovative operating model, proving its effective operation at scale, and then making it available for other organizations to replicate.”

Learn more about VDP online at https://www.dc3.mil/Organizations/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/