The US Department of Defense (DoD) passed the significant milestone of logging more than 50,000 vulnerabilities through its vulnerability disclosure program (VDP).
The VDP was launched in November 2016 by the DoD Cyber Crime Center (DC3), and logged the 50,000th bug bounty on the March 15 2024.
The DC3 VDP program incentivises white-hat hackers to find bugs and vulnerabilities in DoD websites and applications by rewarding them depending on the severity of the vulnerabilities they discover.
50,000 potential avenues of attack patched
DC3 has gradually enhanced the efficiency of bug reporting and tracking over the program’s lifetime, with the Vulnerability Report Management Network being launched in 2018, introducing automation to the reporting process.
In a public statement to mark the occasion, DC3 said, “The program’s advancement has enabled VDP to expand their mitigative scope to not only process findings on DoD websites and applications, but to include all publicly accessible and/or available information technology assets owned and operated by the Joint Force Headquarters DoD Information Network.”
The reward offered to ethical hackers who successfully identify vulnerabilities is expected to be significantly lower than the financial impact a potential breach could have on the DoD. In fact, 2021 saw DC3 launch a 12 month program with the Defense, Counterintelligence & Security Agency to boost the security of SMEs in the Defense Industrial Base (DIB).
According to the DC3, the initiative “saved taxpayers an estimated $61m by discovering and remediating more than 400 active vulnerabilities and Controlled Unclassified Information exfiltration threats by adversaries on DIB participants’ public-facing assets.”
The DoD also holds a hackathon known as ‘Hack the Pentagon’ that offers ethical hackers the opportunity to seek out bugs in other critical areas of national defense such as the Army, Marine Corps, and Air Force.