Pentagon Launches DIB Vulnerability Disclosure Program – MeriTalk
The Pentagon has launched a new fully operational program that allows independent “ethical hackers” to find and analyze vulnerabilities in military contractor networks with the aim of improving the cybersecurity posture of the defense industrial base (DIB).
The DIB Vulnerability Disclosure Program (DIB-VDP) – a joint venture between the Defense Department’s (DoD) Cyber Crime Center (DC3), the Defense Counterintelligence and Security Agency (DCSA), and HackerOne — aims to bring better vulnerability disclosure capabilities to the DIB.
“The strategic alignment will further enhance DC3 and DCSA support to the DIB in the vulnerability, analytical, cybersecurity, and cyber forensics domains,” DoD said.
The fully operational program comes after a year-long pilot where participating companies accepted vulnerability disclosures so that independent hackers could seek out, document, and report security vulnerabilities to the companies and the Pentagon.
The pilot concluded in 2022.
Now with an official program in place, firms can voluntarily – and at no cost – submit assets and platforms for “ethical research analysis and vulnerability threat assessment,” according to the department.
The program follows in line with cybersecurity strategies and policies DoD has launched in the last few years such as the 2022 National Defense Strategy, the 2023 National Cybersecurity Strategy, and the 2024 DIB Cybersecurity Strategy.
“Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies,” DoD said. “It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems,” and “enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts,” the Pentagon said.