Researchers find over 400 vulnerabilities in defense industrial base bug bounty effort
A year-long bug bounty program that scrutinized a fraction of the massive U.S. defense industrial base turned up more than 400 valid vulnerabilities, the effort’s organizers announced Monday.
Nearly three hundred security researchers from bug bounty vendor HackerOne participated in the 12-month exercise, dubbed the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Pilot, and made 1,015 reports as they examined the networks of participating defense contractors — 401 of vulnerabilities were deemed actionable and required remediation, according to the firm.
The pilot effort, run in coordination with the Defense Cyber Crime Center and the Defense Counterintelligence and Security Agency, began with 14 companies and 141 public-facing assets. It was expanded to include 41 entities and 348 systems over the course of the year.
The program's figures represent just a sliver of the estimated 100,000 to 300,000 companies that contract directly with the Pentagon and its components.
Defense officials have long worried about the digital vulnerabilities of firms that make up the department’s supply chain, which has been rocked by major breaches over the years. One of the most notorious incidents occurred in 2009 when suspected Chinese hackers broke into one of the companies working on the F-35 Joint Strike Fighter, the most expensive weapons system in U.S. history, and stole design data.
The pilot bug bounty, which concluded at the end of April, “intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain,” Melissa Vice, interim director of the DoD Vulnerability Disclosure Program, said in a statement.
An analysis of the DIB Vulnerability Report Management Network will now take place in order to document the pilot’s lessons learned and inform the way forward for a funded program.
“With [the Cybersecurity and Infrastructure Security Agency] now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world,” HackerOne co-founder and chief technology officer Alex Rice said.
The fiscal 2022 defense policy bill required DoD to assess the feasibility of allowing a threat hunting program on the defense industrial base to weed out foreign hackers and study the possibility of establishing a threat information sharing program for the sprawling enterprise.
In an interview with The Record earlier this year, DoD Chief Information Officer John Sherman said the Pentagon was “getting rolling on both of those” examinations.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.