The US Defence Department's vulnerability disclosure programme (VDP) has yielded 2,837 security flaws in the nearly one year since its inception.
While a bounty or cash incentives are not awarded for vulnerabilities reported through the VDP, that has not stopped hackers eager to do their part to help protect the US DoD's assets, HackerOne, which runs the programme, said in a blog post. The company called the VDP, “the ‘see something, say something of the internet.'”
Implemented just after the agency introduced its successful Hack the Pentagon bug bounty programme, the initiative, spearheaded by the department's Defence Digital team, has unearthed more than 100 vulnerabilities deemed critical and has attracted about 650 white hat hackers from more than 50 countries who have scoured the Defence Department's public-facing websites for flaws. HackerOne said that, in addition to the United States, India, Russia, the UK, France, Pakistan, Canada, the Philippines, Egypt and Australia are the top flaw-reporting countries to date.
Under Hack the Pentagon, the Defence Department “has resolved nearly 500 vulnerabilities in public facing systems with bug bounty challenges,” yielding hackers more than US$ 300,000 (£230,000) in bounties, “and saving the DoD millions of dollars,” HackerOne noted.
The woman who spearheaded development of the Department of Defence's “Hack the Pentagon” bug bounty programme recommended last summer that all US federal agencies looking to implement a similar initiative do so under one single umbrella programme.
“If we were in a position as a government to have one consolidated organisation that could do such a thing, it would make great sense. I think that's absolutely the world in which we're moving, said Lisa Wiswell, former digital security lead with the DoD, at DEF CON 25.