search menu icon-carat-right cmu-wordmark

Coordinated Vulnerability Disclosure for DoD Websites

Art Manion
• SEI Blog
Art Manion

Almost 30 years ago, the SEI's CERT Coordination Center established a program that enabled security researchers in the field to report vulnerabilities they found in an organization's software or systems. But this capability did not always include vulnerabilities found on Department of Defense (DoD) sites. In 2017, the SEI helped expand vulnerability reporting to the DoD by establishing the DoD Vulnerability Disclosure program. This blog post, which was adapted from an article in the recently published 2017 Year in Review, highlights our work on this program.

The DoD began evolving towards its more transparent and modernized vulnerability disclosure policy in 2016. Realizing the value of contributions that security researchers make to the security of the Internet, the DoD forged a relationship to encourage vulnerability testing and reporting for DoD websites. First, it introduced two successful bug bounty programs--"Hack the Pentagon" and "Hack the Army"--that rewarded registered participants with cash payouts for reporting verifiable vulnerabilities. As first experiments with public vulnerability reporting, these programs were appropriately and intentionally limited in length and scope.

The DoD then decided to establish a more permanent capability. In 2016, the DoD tasked the institute to work with the DoD Cyber Crime Center (DC3) to develop a program to provide clear guidance for security researchers on disclosing vulnerabilities found in any DoD public-facing website: the Department of Defense Vulnerability Disclosure Policy (DVDP). Ash Carter, then Secretary of Defense, was a strong proponent of this "see something, say something" policy, and he expressed satisfaction with its success in bolstering the department's and nation's security.

During the first phase of the DVDP, the SEI helped design processes and operationally handled inbound reports from researchers, validating vulnerabilities, passing them to the DC3 for mitigation, and later validating the applied fixes. We have currently transitioned day-to-day operations to DC3 and we provide ongoing policy, process, and technical reach-back support.

We see a need for many more organizations to adopt coordinated vulnerability disclosure (CVD) practices. The CERT Guide to Coordinated Vulnerability Disclosure, published in 2017, provides a comprehensive guide for establishing a successful CVD capability. As the guide makes clear, CVD is a socio-technical challenge, requiring collaboration among vendors, researchers, and other stakeholders. While pinpointing the vulnerability and fixing it is technical, the rest is process and policy and trying to get things done effectively without causing people undue stress and work.

Helping to design and operate the DVDP is a great exercise in applying and modernizing coordinated vulnerability disclosure lessons learned during the past few decades. The DVDP is a lasting way for the DoD to improve the security of public-facing websites and to engage with the security research community.

The SEI's mission is to advance the technologies and practices needed to acquire, develop, operate, and sustain software systems that are innovative, trustworthy, and enduring. The 2017 Year in Review highlights the work of the institute undertaken during the fiscal year spanning October 1, 2016, to September 30, 2017.

Additional Resources

To learn more about this and other topics discussed in the Year in Review, visit resources.sei.cmu.edu and search for "2017 Year in Review Resources."

Download the 2017 Year in Review.

About the Author