US Department of Defense claims to have flushed out 50,000 vulnerabilities with bug bounty program

Security Bug
(Image credit: Shutterstock)

The US Department of Defense (DoD) passed the significant milestone of logging more than 50,000 vulnerabilities through its vulnerability disclosure program (VDP).

The VDP was launched in November 2016 by the DoD Cyber Crime Center (DC3), and logged the 50,000th bug bounty on the March 15 2024.

The DC3 VDP program incentivises white-hat hackers to find bugs and vulnerabilities in DoD websites and applications by rewarding them depending on the severity of the vulnerabilities they discover.

50,000 potential avenues of attack patched

DC3 has gradually enhanced the efficiency of bug reporting and tracking over the program's lifetime, with the Vulnerability Report Management Network being launched in 2018, introducing automation to the reporting process.

In a public statement to mark the occasion, DC3 said, “The program’s advancement has enabled VDP to expand their mitigative scope to not only process findings on DoD websites and applications, but to include all publicly accessible and/or available information technology assets owned and operated by the Joint Force Headquarters DoD Information Network.”

The reward offered to ethical hackers who successfully identify vulnerabilities is expected to be significantly lower than the financial impact a potential breach could have on the DoD. In fact, 2021 saw DC3 launch a 12 month program with the Defense, Counterintelligence & Security Agency to boost the security of SMEs in the Defense Industrial Base (DIB).

According to the DC3, the initiative “saved taxpayers an estimated $61m by discovering and remediating more than 400 active vulnerabilities and Controlled Unclassified Information exfiltration threats by adversaries on DIB participants’ public-facing assets.”

The DoD also holds a hackathon known as 'Hack the Pentagon' that offers ethical hackers the opportunity to seek out bugs in other critical areas of national defense such as the Army, Marine Corps, and Air Force.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.