The United States Department of Defense (DOD) has expanded its ethical hacking program to include more targets.
DoD officials announced yesterday that the Department's Vulnerability Disclosure Program will be broadened to include all publicly accessible DOD information systems.
Bug hunters were first invited to engage with the DOD in 2016 when the initiative 'Hack the Pentagon' was launched. Through this initiative, the Defense Digital Service set up a bug bounty program to reward ethical hackers for identifying flaws in the Department's digital defenses.
Director of the Defense Digital Service Brett Goldstein said that before the initiative was introduced, ethical hackers who discovered a vulnerability had no way of communicating their findings to the DOD.
"Because of this, many vulnerabilities went unreported," said Goldstein.
He added: "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."
When the vulnerability hunting policy was first established, it was limited to DOD public-facing applications and websites.
Goldstein said that the newly announced expansion will allow for research and reporting of vulnerabilities detected in all DOD publicly accessible networks, Internet of Things, industrial control systems, frequency-based communication, and more.
"This expansion is a testament to transforming the government's approach to security and leapfrogging the current state of technology within DOD," said the director.
The expanded Vulnerability Disclosure program will continue to be overseen by the DOD's Cyber Crime Center. Growing it to catch more vulnerabilities and improve cybersecurity was an obvious and sensible progression, according to program director Kristopher Johnson.
He said: "The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," he said.
Ethical hackers have submitted more than 29,000 vulnerability reports through the Vulnerability Disclosure Program since it was launched. Johnson said that over 70% of those reported weaknesses proved to be valid.
The program director said that he expects the number of disclosures reported by the security researcher community to increase significantly with the expansion of the program, which was last extended in 2018.