The Pentagon’s Cyber Crime Center and bug bounty vendor HackerOne have launched the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), an effort to share vulnerability data and boost digital hygiene within the defense industrial base.
According to HackerOne, any information submitted to the DIB-VDP under the program will be used for defensive purposes – to mitigate or remediate vulnerabilities in DoD contractor information systems, networks, or applications. The research, however, is not contributing to offensive tools or capabilities.
The DIB-VDP Pilot is part of DoD’s efforts to extend its relationship with outside security researchers. As of April 2021, security researchers have identified more than 30,000 potential exploits for DoD’s systems. The expansion of vulnerability research to participating DoD contractor networks replicates the DoD’s’ success by making participating DoD contractor networks available for vulnerability research, the policy says.
Security researchers are encouraged to identify weaknesses and provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.
In turn, DIB-VDP claims it will deal in "good faith" with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with a set of terms and conditions. DIB-VDP says it will take every disclosure seriously, thoroughly investigating and ensuring all appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities.
DIB-VDP "is committed to coordinating with the security researcher transparently and promptly," which includes taking the following actions:
- Within one business day, DIB-VDP will acknowledge receipt of the report. DIB-VDP’s security team will investigate the report and may contact the security researcher for further information.
- When practicable and authorized, DIB-VDP will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, while remediation of the vulnerability is under way.
- DIB-VDP wants researchers to be recognized publicly for their contributions, if that is the researcher’s desire. DIB-VDP will seek to allow researchers desiring to be publicly recognized, when practicable and authorized. However, public disclosure of vulnerabilities will only be authorized by the express written consent of DIB-VDP.
Since its launch, 124 reports have been received, and 27 hackers have been "thanked" for their reports.
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says," The Defense Industrial Base Vulnerability Disclosure Program “in scope” list is just a snapshot of the complexity and scale of the digital landscape that cyber security pros are on the hook to protect. The cyber security industry is gearing up for battle against the scale monster. Crowdsourcing security research and orchestrating and automating vulnerability remediation are two proven methods to defeat the scale monster before it eats all of us. Known vulnerabilities exist today, and more will be disclosed tomorrow, across endpoints, cloud services, websites and the application code our defense agencies rely on. Securing all of these moving parts is the biggest challenge facing the cyber security industry. DIB-VDP is a good start to defining a standardized approach to crowdsourcing vulnerability identification, but we can’t stop here. We must drive and measure remediation outcomes to truly secure digital infrastructure in the face of modern, cyber warfare."