Skip to Main Content
Official Seal - Department of Defense Cyber Crime Center (DC3)

DC3

Department of Defense
Cyber Crime Center

A Federal Cyber Center

Calling All Hackers: We Want To Work With You


LINTHICUM, Md. (April 12, 2019) Vulnerability Disclosure Program team member Joshua Levy monitors the cybersecurity researcher leaderboard on the HackerOne portal. HackerOne is DODs primary source for vulnerability reporting and is responsible for vetting and registering VDPs cybersecurity researchers. The VDP serves as DODs focal point for crowd-sourced vulnerability reporting and interacting with private citizen cybersecurity researchers, popularly referred to as “hackers.” (Photo by Stephen Murphy)

By Stephen Murphy, DC3 Public Affairs

Our agency is a little different, we actually work with hackers to improve our public facing websites.

The Department of Defense Cyber Crime Center (DC3) stood up its Vulnerability Disclosure Program (VDP) in November 2016. The VDP was tasked as DoDs focal point for crowd-sourced vulnerability reporting and interacting with private citizen cybersecurity researchers, popularly referred to as “hackers.”

Since then, VDP has processed more than 9,000 vulnerabilities discovered by researchers within DoD’s publically facing websites, with nearly 70 percent confirmed by VDP as being genuine and requiring action to mitigate.  The program was derived from the “Hack the Pentagon” bug-bounty pilot program launched in April 2016 by the Defense Digital Service, which involved cybersecurity researchers using their skill-sets to find vulnerabilities within DoD websites.  Those managing the “Hack the Pentagon” pilot noticed researchers reported many vulnerabilities that were outside of the scope of websites eligible for bounty payments.

“The DoD bug-bounty programs are phenomenally successful,” said Kristopher Johnson, VDP director.  “However, the programs are limited to about one to four weeks in length.  They are one-off events with very narrow scope, and they pay the researchers by the bounty.”

The difference with VDP is cybersecurity researchers would not be paid bounties for so called “out of scope” vulnerabilities.  Instead, they work toward gaining credibility and earning reputation points which may lead to work opportunities such as “invitation only” private bug bounty programs.  The VDP cybersecurity researchers are ranked on a leaderboard managed by HackerOne, a contractor that provides a vulnerability and bug bounty reporting platform service for commercial businesses and DoD.  HackerOne is DoD’s primary source for vulnerability reporting and is responsible for vetting and registering VDPs Cybersecurity researchers.

A key enabler of VDP’s success was the establishment of a DoD policy, approved by the Department of Justice, that provided guidance and boundaries by which the “good guy” hackers could engage in vulnerability research without fear of federal prosecution.

“It is important to note that many in the hacker community discovered vulnerabilities on DoD websites, but would not disclose them to the government for fear of prosecution,” Johnson said.  “At the end of the day, I don’t think anyone wants to risk going to jail for telling someone about a security issue on their website.”

Johnson said another contributing factor to VDPs success is its partnerships with researchers, the website/system owners and the Joint Force Headquarters Department of Defense Information Network (JFHQ-DoDIN), a US Cyber Command component responsible for securing, operating and defending DoDs complex infrastructure of nearly 15,000 networks.

The reporting process begins when a researcher submits a vulnerability report to VDP via the HackerOne portal.  Reports deemed to be legitimate by VDP are logged into the VDPs Vulnerability Report Management Network (VRMN).

“The beauty about VRMN is the fact that it is built on the commercial JIRA [issue and project tracking software] platform, is able to be highly modified to meet our requirements, scalable for all future growth, and logs every single action and comment within each report,” Johnson said.  “It gives us the ability to look at the 30,000 ft. view, produce reports for leadership or get in the weeds on who touched what and when.”

The VRMN was launched in May 2018, and is still a fairly new capability for VDP.  Prior to VRMN, VDP used tools across both classified and unclassified networks; network share drives, web portals, spreadsheets, email, phone calls, etc.  VRMN streamlines this process and provides VDP with a single, secure and unified platform to manage each vulnerability during the entire process.  Every action, conversation and detail associated with a vulnerability is automatically captured and stored within VRMN delivering total process visibility to VDP and its DoD customers.

“Operationally, we have seen a 26 percent decrease (2019 vs 2018) in the average resolution time of a vulnerability while, during the same period of time, the vulnerability submissions increased,” Johnson said.  “As someone that is always seeking to implement change in order to be more efficient, VRMN is a real game changer.”

Once reports are logged into VRMN, VDP teams perform multiple tasks and first ensure that a vulnerability report is not spam, a duplicate or incomplete.  In some cases, VDP communicates directly with researchers to obtain missing data required to move forward to assess the reported vulnerability.  A VDP validation team then evaluates a researcher’s vulnerability assertions for technical accuracy by attempting to replicate the researcher’s steps using a multitude of tools, programs, services and methodologies.  VDP informs the submitting researcher via the HackerOne platform whether the vulnerability has been validated and that those validated have been assigned for remedial action within DoD.  VDP assigns validated vulnerabilities to JFHQ-DoDIN for action.  JFHQ-DoDIN, in turn, issues a remediation “Cyber Task Order” to the responsible Service component or other DoD activity that operates the website with a suspense date according to the assessed severity of the vulnerability.

After a vulnerability is fixed and logged as remediated within VRMN, it is reassigned to a VDP validation team to confirm the reported fix was successful.  Once the fix is validated, VDP notifies and provides appropriate recognition to the researcher for his or her contribution to improving national security.

“At the end of the day, the elimination of a vulnerability is a win-win-win situation for the DoD and its researchers,” Johnson said.  “The DoD has one less cyber threat to deal with, the Warfighter will be able to operate on a more secure platform and the researcher earns credibility for his or her work.”

Johnson notes that the VDP program has been steadily growing as a result of its extensive communication with the researchers and its industry-leading turnaround times for correcting vulnerabilities.  Through engagement at cybersecurity conferences, the DC3 website and proactive outreach using social media, VDP has promoted its program externally resulting with more researchers joining each day.  DC3 VDP currently has more than 900 researchers in 45 countries analyzing all publicly accessible DoD websites.  VDP is on pace to have its busiest year so far in 2019, with more than 5,000 vulnerability reports projected.

“Based upon the [results of the] Ponemon Institute 2017 Cost of Cyber Crime study, the VDP has saved US taxpayers an estimated $22.9 million from successful web attacks,” said Johnson.  “I am thankful and so very blessed to be leading such a wonderful, innovative team here in DC3.  They are the industry's subject matter experts when it comes to vulnerabilities, and the tight-knit group is always ready to take on a new challenge together no matter the size or complexity.  One Team One Fight!”