Digital Forensics2Vulnerability DisclosureVulnerability Disclosure Program (VDP)
Vulnerability Disclosure Program (VDP)
The DoD Vulnerability Disclosure Program (VDP) leverages the experience and knowledge of ethical hackers from around the world to improve network defenses and enhance mission assurance.

VDP Overview


Established in 2016 by the Secretary of Defense, the Vulnerability Disclosure Program (VDP) operates to strengthen the security of the DoD Information Network (DoDIN) by providing an additional layer to the defense-indepth cybersecurity strategy.

Our mission is to act as the single DoD focal point for receiving crowdsourced cybersecurity vulnerabilities on the DoDIN to improve network defenses and enhance mission assurance, by embracing a previously overlooked yet indispensable resource; private-sector white hat researchers. The success of the program relies solely on expertise and support from the security researcher community which contributes to the overall security of the DoD.

DoDIN information technologies, services, and systems provide critical capabilities to all military service members, their families, veterans, DoD civilians and contractors. Ultimately, VDP will drive an increase in the DoDIN’s cyber hygiene with the objective of ensuring DoD can accomplish its mission to defend the United States of America. 
 

VDP Fact Sheet VDP Annual Reports VDP Bug Bytes VDP Stories  
 

The VDP provides an independent assessment of DoDIN security and defensive measures by identifying:
 

  • Vulnerabilities not found by existing red-team and automated efforts

  • Non-compliance with cyber security guidance

  • Training deficiencies
         

Contact Us

General VDP Questions:  
 This link is not to be used to report

vulnerabilities on DoD networks
and systems.

VDP Policy & Reporting

To read the DoD Vulnerability Disclosure Policy and to submit a vulnerability report:
 
Submit DoD Vulnerability Report 

 Do not use this button to report

DIB-VDP Pilot vulnerabilities.
Select the button below.

Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Pilot

VDP Capabilities

The DoD Vulnerability Disclosure Program:
 
  • Key component of the National Cyber Strategy, Pillar II, by promoting full lifecycle cybersecurity through the use of coordinated vulnerability disclosure, crowdsourced testing and risk assessments that improve resiliency ahead of exploitation or attack. 
  • Enhances the partnership between DoD and the computer security researcher community, building a positive feedback loop to enhance the DoDs security through the speedy discovery and remediation of vulnerabilities.
  • Reduces the time between when a vulnerability is discovered, when the system owner is notified and when the vulnerability is successfully mitigated. 
  • Provides an open channel and legal safe harbor for the discoverer of the vulnerability to report it to DoD. 
  • Facilitates the National Defense Strategy LOE “Build a More Lethal Force” by increasing the resilience of the DoDs cyberspace assets. 
  • Aligns with ISO 29147:2018 and ISO 30111.