DIB Vulnerability Disclosure Program pilot wraps up

HackerOne and the Defense Counterintelligence and Security Agency (DCSA) announced that the Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) Pilot reached the one-year mark and its conclusion at the end of April, the Department of Defense Cyber Crime Center (DC3) announced May 2.

The 12-month pilot, launched in April 2021, was enacted to promote cybersecurity hygiene and reduce the attack surface of voluntary DIB participants by discovering and remediating vulnerabilities on publicly accessible assets.

The pilot was established collaboratively by the DoD Cyber Crime Center’s (DC3) DoD Vulnerability Disclosure Program (VDP), DoD DIB Collaborative Information Sharing Environment (DCISE), and the Defense Counterintelligence and Security Agency (DCSA), as a free benefit to voluntary DIB participants.

Melissa Vice, interim director, VDP, said the DIB-VDP Pilot’s existence stems from a desire to leverage the five years of lessons learned by the DoD VDP to DIB companies, based on the recommendation from Carnegie Mellon University Software Engineering Institute’s DIB-VDP Feasibility Study.

“DC3’s DoD VDP has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks (DoDIN),” said Vice. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain.”

Vice noted that when comparing monthly findings in its VDP Bug Bytes and DIB-VDP Pilot Myte Bytes reports, similar trends have emerged. Analysis of the DIB Vulnerability Report Management Network (VRMN) will occur following the conclusion of the pilot to document the DIB-VDP pilot’s lessons learned and inform the way forward for a funded program.

The DIB-VDP Pilot launched with 14 voluntary participant companies and 141 assets in scope. The feasibility study included 20 DIB companies; however, the interest was so strong the pilot was expanded to admit 41 companies with 348 assets during the past year. There were 288 HackerOne cybersecurity researchers who submitted 1,015 all-time reports with 401 validated as actionable reports for remediation by the DIB system owners.

“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” said Joshua Black, acting executive director, DC3.

“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said HackerOne co-founder and chief technology officer Alex Rice. “With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world. We should all be thankful to DoD for creating this innovative operating model, proving its effective operation at scale, and then making it available for other organizations to replicate.”

Source: DC3

Like IC News? Then please consider subscribing. You’ll get full access to our searchable library of 10,000+ articles, plus new articles each weekday.