U.S. Government Pilots Vulnerability Disclosure Program for DIB on HackerOne

Last updated May 17, 2024
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The U.S. is looking to turn the page and start a new chapter for cybersecurity, and exploring vulnerability disclosure programs (VDPs) for critical infrastructure is the way to go. This was officially announced as a plan back in September 2020, and we are now seeing the first pilot program on HackerOne. It is set up around the Defense Industrial Base (DIB) and involves participating DoD contractor partner’s information systems, web properties, other identified scoped assets.

This is practically recognizing the value of contributions from the security researchers community. The program can be seen as an attempt to extend the “official arm” to that community and build a strong relationship with it. As the announcement points out, this expansion in vulnerability research sits on a strong basis of over 30,000 exploits on DoD’s systems, identified and responsibly reported by security researchers in previous years.

The scope is just a snapshot of the complexity and scale of the digital landscape that cybersecurity pros are on the hook to protect, Yaniv Bar-Dayan of Vulcan Cyber tells us. As he further states:

Crowdsourcing security research and orchestrating and automating vulnerability remediation are two proven methods to defeat the scale monster before it eats all of us. DIB-VDP is a good start to defining a standardized approach to crowdsourcing vulnerability identification, but we can’t stop here. We must drive and measure remediation outcomes to truly secure digital infrastructure in the face of modern, cyber warfare.

Security researcher John Jackson tells us:

More people are starting to understand that hackers can be their greatest allies to protect from exploitation by reporting critical vulnerabilities. The CFAA is old and dated and only makes it harder for hackers to operate. This is honestly a step in the right direction. However, the responsibility to understand the reports, communicate with the hackers, and resolving the vulnerabilities is still on the program managers, and this is not free of complications or challenges.

For more information about the guidelines, scope of the program, legal limitations, and report submission instructions, you may check the program’s main page, where everything is laid out in detail. Reporters are allowed to test remotely, as long as it’s relevant to the detection and identification of a vulnerability, and then they’re allowed to share the information solely with DoD.

Exfiltration of data is prohibited. So is the publication of any details about the findings, the compromise of the privacy of any contractor or personnel of the DoD, and the actual exploitation that goes beyond the scope of proving the existence of a flaw. And finally, the testing scenarios that aren’t permitted under any circumstances include denial of service, phishing, and social engineering.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: