The Pentagon announced Tuesday that it is expanding its Vulnerability Disclosure Program to include all publicly accessible information systems in the Defense Department.

The program grew out of the department's "Hack the Pentagon initiative," which started in 2016, according to a Pentagon press release.

In 2016 then-Defense Secretary Ashton Carter met with two hackers to congratulate them for alerting the Pentagon to potential vulnerabilities in several Defense Department websites.

The hackers were the most successful participants in a "Hack the Pentagon" event begun earlier that year -- the Defense Department's first-ever "bug bounty."

Prior to that, there was no way for ethical hackers to interact with the Department of Defense even if they spotted a vulnerability in its systems.

"Because of this, many vulnerabilities went unreported," Brett Goldstein, the director of the Defense Digital Service, said in the DoD's release. "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."

The DoD Cyber Crime Center oversees the Vulnerability Disclosure Program, which has received more than 29,000 vulnerability reports -- 70% of which have been found to be valid, according to officials.

The original policy was limited to the department's public-facing websites and applications, but now hackers are invited to investigate vulnerabilities related to all DOD publicly-accessible networks, Goldstein said in the release.

The expansion also includes frequency-based communication, the Internet of Things and industrial control systems.

"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," said Cyber Crime Center director Kristopher Johnson.

In July 2015 a Pentagon email system used by personnel of the Joint Chiefs of Staff was breached in a sophisticated cyberattack officials said was committed by Russian state actors.

In January 2020 the Pentagon announced that it would require at least some contractors bidding on defense contracts to certify that they meet "at least a basic level of cybersecurity standards" in their proposals.

Related Links
Cyberwar - Internet Security News - Systems and Policy Issues

Tweet

Thanks for being here; We need your help. The SpaceDaily news network continues to grow but revenues have never been harder to maintain. With the rise of Ad Blockers, and Facebook - our traditional revenue sources via quality network advertising continues to decline. And unlike so many other news sites, we don't have a paywall - with those annoying usernames and passwords. Our news coverage takes time and effort to publish 365 days a year. If you find our news sites informative and useful then please consider becoming a regular supporter or for now make a one off contribution.
SpaceDaily Contributor $5 Billed Once credit card or paypal		SpaceDaily Monthly Supporter $5 Billed Monthly paypal only

Researchers demonstrate potential for zero-knowledge proofs in vulnerability disclosure
Washington DC (AFNS) Apr 23, 2021
Today, the disclosure process for software vulnerabilities is fraught with challenges. Cybersecurity researchers and software security analysts are faced with an ethics versus efficacy dilemma when it comes to reporting or sharing discovered bugs. Revealing a vulnerability publicly may get the attention of the program's developers and motivate a timely response, but it could also result in a lawsuit against the researcher. Further, public disclosure could enable bad actors to exploit the discover ... read more