The Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP) Pilot program completed it’s 12-month journey to promote cyber hygiene and reduce attack surfaces of voluntary DIB participants through identifying vulnerabilities on publicly accessible assets.
The DIB-VDP pilot launched in April 2021 and reached its conclusion at the end of April 2022. It launched with 14 voluntary participant companies with 141 assets in scope, and was facilitated by HackerOne – a cybersecurity company.
The pilot was established by the Department of Defense (DoD) Cyber Crime Center’s (DC3) DoD VDP, DoD DIB Collaborative Information Sharing Environment (DCISE), and the Defense Counterintelligence and Security Agency (DCSA) as a free benefit to the voluntary DIB participants.
“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” Joshua Black, Acting Executive Director of DC3 said in a press release.
Further, DIB-VDP Pilot’s existence, according to interim director for VDP Melissa Vice, comes from a “desire to leverage the five years of lessons learned by the DoD VDP to DIB companies.” These lessons come from Carnegie Mellon University Software Engineering Institute’s DIB-VDP Feasibility Study.
This feasibility study included 20 DIB companies and generated such strong interest that the pilot was expanded to admit 41 companies with 348 assets over the past year. According to HackerOne, there were “288 HackerOne cybersecurity researchers who submitted 1,015 all-time reports with 401 validated as actionable reports for remediation by the DIB system owners.”
“DC3’s DoD VDP has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” Vice said. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain.”