Over 50,000 Vulnerabilities Discovered in DoD Systems Through Bug Bounty Program

Over 50,000 vulnerabilities have been submitted to the US Department of Defense (DoD) through its vulnerability disclosure program (VDP).

The DoD Cyber Crime Center (DC3) reported on March 15, 2024, that it processed its 50,000th vulnerability since introducing its crowd-sourced ethical hacking scheme in November 2016.

Unlike other bug bounty efforts, DC3’s VDP is a continuous scheme welcoming ethical hackers to find vulnerabilities within US military IT systems and report them to the DoD.

Its launch in November 2016 followed a successful ‘Hack the Pentagon’ bug bounty program running on HackerOne.

In 2018, DC3 introduced a new reporting system within VDP known as the Vulnerability Report Management Network. It allows DC3 to automate, track, and process all reporting, creating a much more efficient process.

“The program’s advancement has enabled VDP to expand their mitigative scope to not only process findings on DoD websites and applications, but to include all publicly accessible and/or available information technology assets owned and operated by the Joint Force Headquarters DoD Information Network,” DC3 explained in a public statement.

In 2021, DC3 and the Defense Counterintelligence and Security Agency partnered to create a 12-month pilot program dedicated to hunting bugs within the systems of small to medium organizations participating in the Defense Industrial Base (DIBCOs).

This initiative allowed DC3 to process 1019 vulnerability reports. “[It] saved taxpayers an estimated $61m by discovering and remediating more than 400 active vulnerabilities and Controlled Unclassified Information exfiltration threats by adversaries on DIB participants’ public-facing assets,” noted DC3.

The pilot program earned DC3 the prestigious DoD Chief Information Officer Annual Award.

Meanwhile, the DoD has continued running standalone bug bounty programs in collaboration with HackerOne, Bugcrowd and Synack, including ‘Hack the Pentagon’ competition covering other departments such as the Air Force, the Marine Corps, the Army, and Defense Travel System assets.