search icon-carat-right cmu-wordmark

Contributing to Developing and Implementing the DoD Vulnerability Discovery Program

2016

The security research community regularly makes valuable contributions to the security of organizations and the broader Internet.  Since maintaining the security of networks is a high priority at the U.S. Department of Defense (DoD), it recognizes that fostering a close relationship with the community helps improve its security. In 2016, the DoD identified a need for a transparent and modernized vulnerability disclosure program and asked the SEI’s CERT Division to help develop and implement such a program.

Since 2002, the SEI has gathered, investigated, and published research about vulnerabilities, as well as curating the vulnerability notes database. This research provided the backdrop for its work with the Defense Cyber Crime Center (DC3) to develop the DoD Vulnerability Disclosure Program (VDP), based on the Hack the Pentagon and Hack the Army bug bounty pilots.

During the first phase of the program, the SEI helped design processes and handle reports from researchers—validating vulnerabilities, passing them to the DC3 for mitigation, and validating the applied fixes. The SEI developed the CONOPS and TTPs (tactics, techniques, and procedures) of the DoD VDP. The SEI also provided initial operating capability for DC3 until the planned hand-off in early 2018, after which, the SEI would provide only policy, process, and technical support.

The VDP is the DoD’s legal avenue for researchers to find and disclose vulnerabilities in DoD public-facing systems. The program was the first of its kind for the DoD.  Its clear guidance not only helps security researchers know how to test and disclose vulnerabilities in DoD websites, but it also commits the DoD to working transparently with the research community.