US DOD Expands Vulnerability Bounty Program to Encompass Networks, IoT, More

The Department of Defense (DOD) has announced its Vulnerability Disclosure Program will expand to envelop all publicly accessible DOD information systems, including IoT devices.

The DOD Vulnerability Policy has been in force since 2016, but it only covered DOD public-facing websites and applications, until now. In the meantime, the world became a much more complicated place, as networks, new IoT devices and other types of hardware have permeated all levels of administration, creating a much larger attack surface.

“The original policy was limited to DOD public-facing websites and applications,” said Brett Goldstein, the director of the Defense Digital Service. “The expansion announced today allows for research and reporting of vulnerabilities related to all DOD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more.”

Knowing about possible vulnerabilities ahead of time is critical for attack prevention. Private enterprises already know this and have their own bounty programs designed to weed out vulnerabilities before they become a liability for companies.

The DOD will deploy the same kind of bounty program to try to secure their networks and devices against possible attacks.

“Since the Vulnerability Disclosure Program’s launch, hackers have submitted more than 29,000 vulnerability reports, with more than 70 percent of them determined to be valid, officials,” the DOD official said.

With the drastic expansion of the bounty program, the number of vulnerabilities is expected to increase dramatically, along with the attack surface.

The announcement comes close to one of the most significant cyberattacks in history. One of the largest fuel pipeline operators in the US, Colonial Pipeline, was the target of a massive attack that affected the fuel supply of the entire US East Coast.