Linthicum Heights, Md. – The Department of Defense (DoD) Cyber Crime Center (DC3) and Defense Counterintelligence and Security Agency (DCSA) announce the strategic partnership to establish a fully operational Vulnerability Disclosure Program (VDP) supporting the Defense Industrial Base (DIB), known as DIB-VDP.

This free and voluntary DIB-VDP aims to bring vulnerability disclosure capabilities to the DIB, and the strategic alignment will further enhance DC3 and DCSA support to the DIB in the vulnerability, analytical, cybersecurity, and cyber forensics domains. Program efforts align to address national-level cybersecurity strategies and policies, such as the 2022 National Defense Strategy, the 2023 National Cybersecurity Strategy, and the 2024 Defense Industrial Base Cybersecurity Strategy.

Companies working in support of the DIB, and within 32 CFR pt. 236, are eligible to participate in this voluntary program. Program participants will be onboarded and integrated into this cost-free program which will allow for ethical researcher analysis and vulnerability threat assessment on those participants’ voluntarily identified assets and platforms.

In 2022, in partnership with the HackerOne crowdsourced ethical researcher community, DC3 and DCSA conducted a DIB-VDP 12-month pilot that leveraged the trusted and symbiotic relationship of the DC3 DoD-Defense Industrial Base Collaborative Information Sharing Environment and the DIB. The pilot was born out of the desire to deliver the years of progressive lessons learned by the DoD VDP to DIB companies.

Through operational agreements and strategic partnerships, DC3 and the DCSA routinely collaborate on ways to share information security data. DoD VDP vulnerability reporting is shared with DoD system owners on the Joint Force Headquarters-DoD Information Networks via the Vulnerability Report Management Network (VRMN). A parallel system, DIB VRMN, employs the same efficient and automated approach while ensuring that DIB data is tracked and held separately from DoD data. Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems. This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.

DCSA brings to the DIB-VDP their established relationship with Defense Industrial Base companies and oversight to approximately 12,500 cleared companies under the National Industrial Security Program as eligible participants for the program.

Through this program and partnership, DC3 seeks to build upon and improve the combination of policies, requirements, services, pilots, public-private collaboration, and interagency efforts to combat the complex, ever-evolving cyber threats facing the DIB.

For more information on DC3, please visit www.dc3.mil and follow us on X @dc3forensics and LinkedIn @ DoD Cyber Crime Center.

This is a repost of a press release issued by the DoD Cyber Crime Center.

About HackerOne

HackerOne is the global leader in human-powered security. We leverage human ingenuity to pinpoint the most critical security flaws across your attack surface to outmatch cybercriminals. HackerOne’s Platform combines the most creative human intelligence with the latest artificial intelligence to reduce threat exposure at all stages of the software development life cycle. From meeting compliance requirements with pentesting to finding novel and elusive vulnerabilities through bug bounty, HackerOne’s elite community of ethical hackers helps organizations transform their businesses with confidence. HackerOne has helped find and fix more vulnerabilities than any other vendor, for brands including Coinbase, General Motors, GitHub, Goldman Sachs, Hyatt, PayPal, and the U.S Department of Defense. In 2023, HackerOne was named a Best Workplace for Innovators by Fast Company.