Vulnerability Disclosure Program (VDP)
Established in 2016 by the Secretary of Defense, the Vulnerability Disclosure Program (VDP) operates to strengthen the security of the DoW Information Network (DoWIN) by providing an additional layer to the defense-in-depth cybersecurity strategy.
Vulnerability Disclosure Program Overview


The mission of the DoW VDP is to function as the single focal point for receiving vulnerability reports and interacting with crowd-sourced cybersecurity researchers supporting the DoWIN.1 This improves network defenses and enhances mission assurance by embracing a previously overlooked, yet indispensable, resource: private-sector white hat researchers.

In January 2021, the DoW VDP scope was officially expanded from public-facing websites to all publicly accessible information systems throughout the DoW. This broadens the protection for the DoW attack surface and offers a safe harbor for researchers while providing more asset and technology security. The success of the program relies solely on the expertise and support of the security researcher community, and the program’s success contributes to the overall security of the DoW.

DoWIN information technologies, services, and systems provide critical capabilities to all military service members, their families, veterans, DoW civilians, and contractors. Ultimately, VDP will drive an increase in the cyber hygiene of the DoWIN, with the objective of ensuring that the DoW can accomplish its mission of defending the United States of America.

1 DODI 8531.01 DoD Vulnerability Management Section. 2.11

  VDP Annual Reports    VDP Bug Bytes    VDP News  
 

VDP Policy & Reporting

To read the DoW Vulnerability Disclosure Policy and to submit a vulnerability report:
 

Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP)

Contact Us
Email:
General VDP Questions
dc3.vdpquestions@us.af.mil
 
Click to subscribe and receive future communications and updates.

 This link is not to be used to report vulnerabilities on DoW networks and systems.

Vulnerability Disclosure Program Capabilities

The DoW Vulnerability Disclosure Program:
 
  • As a key component of the National Cyber Strategy, Pillar II, promotes full-lifecycle cybersecurity through the use of coordinated vulnerability disclosure, crowdsourced testing, and risk assessments that improve resiliency ahead of exploitation or attack
  • Enhances the partnership between DoW and the computer security researcher community, building a positive feedback loop to enhance the security of the DoW through the speedy discovery and remediation of vulnerabilities
  • Reduces the elapsed time from discovery of a vulnerability to notification of the system owner to successful mitigation of the vulnerability
  • Provides an open channel and legal safe harbor for the discoverer of the vulnerability to report it to DoW
  • Facilitates the National Defense Strategy LOE “Build a More Lethal Force” by increasing the resilience of DoW cyberspace assets
  • Aligns with ISO/IEC 29147:2018 and ISO/IEC 30111:2019

VDP Awards

2019 DOD CIO Award Winners - Cybersecurity Team
We are truly honored to be selected amongst a very competitive pool of nominees for the DOD CIO award for Cybersecurity. Winning the DOD CIO Award demonstrates how the importance of the DOD Vulnerability Disclosure Program (VDP) is to protect the DOD Information Network (DODIN) as another layer to any effective defense-in-depth strategy using the vast capabilities of the white-hat researcher community.

2022 DOD CIO Award Winners - Defense Industrial Base Vulnerability Disclosure Pilot (DIB-VDP) Team
Winning this award demonstrates the importance of leveraging the lessons learned from the VDP program to protect the Defense Industrial Base (DIB). The DC3 DIB-VDP team would like to thank the Defense Counterintelligence and Security Agency (DCSA) for their collaborative effort on the pilot and our critical partnership with the crowdsourced ethical researchers.