60 Days of Insights from the DOD’s Defense Industrial Base Vulnerability Disclosure Program Pilot
In April of 2021, the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) pilot kicked off a twelve-month program to invite security researchers to hunt for vulnerabilities in DIB assets across several different organizations.
The DIB-VDP is a collaboration between the Department of Defense Cyber Crime Center (DC3), DoD Vulnerability Disclosure Program (DoD VDP), the Defense Counterintelligence and Security Agency (DCSA), and HackerOne. The goal of the DIB-VDP is to promote cybersecurity within DIB vendors and contractors through coordinated vulnerability disclosure, crowdsourced testing, and risk assessments to improve the security of critical assets ahead of exploitation or attack.
Two months into the DIB-VDP pilot, DC3 and HackerOne sat down to talk about the pilot’s early successes. Read on to see why DC3 continues to add new DIB companies to the pilot and new assets to the scope, the vulnerabilities hackers have found so far, and hear about their goals for the future.
Tell us a bit about yourself and your role within the DIB-VDP pilot.
I’m Melissa Vice, Chief Operations Officer of DoD VDP and POC for the DIB Vulnerability Disclosure Pilot. I was involved in all aspects of the planning, development, and implementation of the pilot. Now that it has launched, my role has shifted to providing daily support to the Designated Coordination Authority (DCA) to answer new DIB company questions to guiding the DIB-VDP team.
And I’m Michiel Prins, Co-founder and Head of Security Advisory Services at HackerOne. HackerOne has been working with the DoD for more than five years and we’re delighted to have our community hacking on the DIB-VDP Pilot. Our goal is to help ensure DIB companies can take the best practices learned through the Pentagon’s Vulnerability Disclosure Program and apply them to DIB suppliers for the continued security of critical national digital assets.
Tell us how the DIB-Vulnerability Disclosure Pilot came to exist. Why is this pilot so important?
Melissa Vice: DIB-VDP was born out of the desire to bring the lessons learned by the DoD Vulnerability Disclosure Program, run by the U.S. Department of Defense (DoD) Cyber Crime Center (DC3), to the Defense Industrial Base (DIB) in partnership with Defense Counterintelligence and Security Agency (DCSA). Since the DoD VDP began in 2016, over 31,000 vulnerabilities have been reported by 3,800 security researchers from across the globe, which shows the immense value of collaborating with hackers to reduce risk. The pilot offers this free preventive security service to the DIB companies to increase their cyber hygiene while reducing the public attack surface.
The pilot launched with 14 DIB companies and ~100 assets in scope. Today, there are 27 companies and 170 assets in scope. Why do you continue to add scope and new companies?
Melissa Vice: The DIB-VDP is following the activity curve represented in HackerOne’s Public Program Lifecycle. We experienced a larger than average surge of reports during the initial launch, but that activity naturally tapers off over time. On-boarding new DIB companies is a heavy upfront lift that takes approximately 60 days but stands to reward the crowd-sourced researcher community with a fresh supply of new assets on a recurring basis. We intend to continue to add new companies in batches on the 60-day battle rhythm until we either exhaust the 100 company licensing limit or the pilot deadline expires. Continually adding new assets benefits the existing DIB Participants by encouraging more researchers to reevaluate their asset lists too.
Who are the hackers hacking the DIB-VDP?
Michiel Prins: The HackerOne community is eager to do good in the world and is filled with diverse, smart, curious, and collaborative human beings. 47% of the hacker community actively participates in VDPs. 51% of those who hack VDPs do so out of a sense of responsibility, and 79% do it to learn. The DIB-VDP program gives these hackers a safe and secure channel to disclose vulnerabilities directly to the DC3 and DCSA teams to be fixed before bad actors can exploit a vulnerability.
You received 165 vulnerability reports with 38% validated reports since the pilot launched. What types of vulnerabilities are most important? What would you like to see more of?
Melissa Vice: To date, we have processed 57 (35%) critical to medium severity reports. Cross-site Scripting (XSS), Encryption Exploitations, Insecure Direct Object Reference (IDOR), and Remote Code Executions (RCE) are perennial attacks shared by both the DoD and DIB so far. The scope expansion signed in January 2021 for the DoD VDP to include “all publicly accessible information systems” may be applicable to the DIB Pilot Participants’ assets and opening up new challenges for HackerOne’s researchers.
Overall, the researcher community was quick to engage with the DIB Pilot. The big thing to keep in mind when looking at the asset lists in this project is that over half are IP addresses or CIDR blocks and not hostnames. Sometimes those assets may be overlooked as it looks like an unresponsive IP or endpoint or just a block of empty space. Assets are hiding out there that may or may not have resolutions that are running web services and web apps, sometimes on common ports and sometimes on uncommon ports. Running the “-Pn” flag when running NMAP will forego any kind of ICMP response and scan the target regardless; you’ll find there are some applications hiding out in all that IP space.
What’s one of the most interesting findings so far? How did this finding help you reduce risk?
Melissa Vice: One interesting finding would be the relation and/or comparison of the DoD VDP and DIB VDP. Many similar themes; unpatched Cisco devices vulnerable to specific CVEs between 2018 and 2020, the same thing we saw in the DoD but on a much larger scale. Other interesting findings we’re seeing are specifically Telerik issues, whether through deserialization or other common exploitable CVEs from the last few years. This similarity between the DoD and DIB efforts has helped speed up triage time, severity rating determination and enable quicker response times when advising stakeholders on the best course of action; and this goes both ways between programs.
The DoD put a Vulnerability Disclosure Program in place in 2016. How did learnings from the DoD VDP program help launch the DIB Vulnerability Disclosure Pilot?
Melissa Vice: DoD VDP has a matured CONOPS, Standard Operating Procedure (SOP), and Vulnerability Report Management Network (VRMN) (pronounced “vermin”) for triaging, validating, and tracking of remediated vulnerabilities. These products served as proofs-of-concept for the Pilot. The DIB-VRMN is a custom-developed and completely separate database with a workflow that fits the needs of DIB companies. DCISE, DCSA, and VDP provided additional staff who learned from the expertise of the DoD VDP team prior to the pilot’s launch.
From the DoD side, what long-term impact do you expect hackers to have?
Melissa Vice: One significant question that we are looking to answer is what other vulnerabilities and weaknesses does the Defense Industrial Base have in common with the DoD Information Network (DODIN)? Already we have seen some highly publicized CVEs associated with CISCO Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Drawing on the risks seen previously is a great place to start for the researcher community. Hackers have the opportunity to strengthen the security landscape of the cleared industrial base just as they have for the DODIN for the past four and half years.
From the HackerOne side, what will the role of hackers look like in the future for efforts similar to the DIB-VDP?
Michiel Prins: Hackers are already a regular part of the security arsenal for many federal agencies and private sector businesses. The CISA Binding Operational Directive 20-01, for example, has mandated that all federal civilian agencies adopt a process for working with ethical hackers, emphasizing the vital role they play for organizations like those within the Defense Industrial Base. The DIB-VDP is a shining example of how hackers can be leveraged to their greatest potential, finding and reporting vulnerabilities in government assets across the DIB supply chain. The hacker community continues to grow in size and skill through education and collaboration on programs such as the DIB-VDP. Hackers already play a crucial role in securing application and data security for the federal government. We’re excited to continue providing fresh insights to government organizations on their evolving attack surfaces and extending the role of hackers throughout the supply chain.
Any advice you’d share with hackers interested in hacking on the DIB-VDP?
Melissa Vice: Hunt early and hunt often in the DIB Pilot. While it is true, those early hunters are often credited with the first findings, but that does not mean all aspects of an asset have been thoroughly explored. Circle back after the dust settles to hunt again. You may uncover some missed opportunities during the early rush.
To learn more about the benefits of a Vulnerability Disclosure Program, check out HackerOne Response