A one-year pilot program designed to allow ethical hackers discover cybersecurity vulnerabilities on the networks of defense companies saw substantial growth in the number of participants, a Defense Department agency said on Monday.
The voluntary Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) began in April 2021 with 14 companies and 141 assets and grew to 41 companies and 348 assets due to strong interest, the DoD Cyber Crime Center (DC3) said.
HackerOne, a bug bounty company with a platform that allows vetted ethical hackers to participate in VDPs for organizations, supplied 288 researchers who submitted 1,015 reports with 401 of those validated for remedial actions by DIB system owners, DC3 said.
The pilot effort concluded at the end of April and a lessons learned review is underway.
The DIB-VDP was established by the DC3, the DoD DIB Collaborative Information Sharing Environment and the Defense Counterintelligence and Security Agency at no cost to participants. The evaluation was built on the DoD VDP that began in 2016 and is managed by the DC3.
“DC3’s DoD VDP has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” Melissa Vice, interim director of the VDP, said in a statement. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain.”