Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Purpose

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) involving participating DoD contractor partners’ information systems, web properties, other identified scoped assets, and submitting discovered vulnerabilities. This policy is separate and distinct from the DoD VDP policy. If questions arise, please take no action until that action is discussed with the DIB-VDP lead at the Department of Defense Cyber Crime Center (DC3).

No technology is perfect, but DC3 believes that working with skilled security researchers across the globe is crucial to identifying participating DoD contractor network weaknesses. We encourage you to notify us of any security issues for a product or service within the scope set by the DIB-VDP participant, and will work with you to resolve any issues promptly.

Overview

Maintaining the security of defense information within Defense Industrial Base (DIB) contractor networks is a high priority at DoD because this helps to defend the United States of America. Recognizing that the broader security research community regularly makes valuable contributions to the security of the Internet, the DoD believes that a close relationship with this community will also improve the security for participating DoD contractors. As a result, if you have information about a vulnerability in a network identified by a participating DoD contractor, we want to hear from you!

First, any information submitted to the DIB-VDP will be used for defensive purposes – to mitigate or remediate vulnerabilities in DoD contractor information systems, networks, or applications. This research is not contributing to offensive tools or capabilities.

Second, the DIB-VDP is part of DoD’s efforts to extend its relationship with outside security researchers. As of April 2024, security researchers have identified more than 50,000 potential exploits for DoD’s systems. The expansion of vulnerability research to participating DoD contractor networks replicates the DoD’s’ success by making participating DoD contractor networks available for vulnerability research.

Please review the DIB-VDP terms and conditions carefully. Before participating in the DIB-VDP and conducting any testing of participating DoD contractor networks prior to submitting a report, you must agree to abide by these new terms and conditions. Failure to abide by the terms and conditions will result in the loss of being considered a security researcher under this policy.

Scope

Identified DoD contractor network assets that are at published in the In Scope section below this policy. DoD contractor information system assets that are not published under the In Scope header are NOT available for research.

How to Submit a Report

Please provide a detailed summary of the vulnerability including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the terms and conditions of DIB-VDP for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to publicly accessible DoD information systems, and that you consent to having the contents of the communication and follow-up communications stored on a U.S. Government information system.

Guidelines

DIB-VDP will deal in good faith with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these terms and conditions:

• Your activities are limited exclusively to –
• (1) Testing, through remote means, to detect a vulnerability or identify an indicator related to a vulnerability that is limited to and within the scope of participating DoD contractor information systems that are identified and published at under the In Scope header; and
• (2) Sharing information solely with DoD or receiving information from DoD about a vulnerability or an indicator related to a vulnerability.
• You will do no harm and will not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• You will avoid intentionally accessing the content of any communications, data, or information transiting or stored on participating DoD contractor information system or systems – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists. An information system is set of information resources for collecting, processing, maintaining, using, sharing, disseminating of information.
• You will not exfiltrate any data under any circumstances.
• You will not intentionally compromise the privacy or safety of DoD or participating DoD contractor personnel (e.g., civilian employees or military members), or any third parties.
• You will not intentionally compromise the intellectual property or other commercial or financial interests of any DoD personnel or entities, participating DoD contractors, or any third parties.
• You will not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written authorization from DIB-VDP.
• If during your research you are inadvertently exposed to information that the public is not authorized to access, you will effectively and permanently erase all identified information in your possession as directed by DIB-VDP and report to DIB-VDP that you have done so.
• You will not conduct denial of service testing.
• You will not conduct physical testing (e.g. office access, open doors, tailgating) or social engineering, including spear phishing, concerning DoD or participating DoD contractor personnel or others.
• You will not submit a high-volume of low-quality reports.
• If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities.

DIB-VDP is committed to coordinating with the security researcher transparently and promptly. This includes taking the following actions:

• Within one business day, DIB-VDP will acknowledge receipt of your report. DIB-VDP’s security team will investigate the report and may contact you for further information.

• When practicable and authorized, DIB-VDP will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, while remediation of the vulnerability is under way.

• DIB-VDP wants researchers to be recognized publicly for their contributions, if that is the researcher’s desire. DIB-VDP will seek to allow researchers desiring to be publicly recognized, when practicable and authorized. However, public disclosure of vulnerabilities will only be authorized by the express written consent of DIB-VDP.

Legal

This policy does not grant authorization, permission, or otherwise allow express or implied access to DoD or participating DoD contractor information systems to any individual, group of individuals, consortium, partnership, or any other business or legal entity. However, if a security researcher working in accordance with the terms and conditions of DIB-VDP discloses a vulnerability, then: (1) DIB-VDP will, in the exercise of its authorities, take the following steps for DoD and the participating DoD contractor to: (1) not initiate or recommend any law enforcement action or civil lawsuits related to such activities against that researcher, and (2) Inform the pertinent law enforcement agencies or civil plaintiffs that the researchers activities were, to the best of our knowledge, conducted pursuant to, and in compliance, with the terms and conditions of DIB-VDP.

You must otherwise comply with all applicable Federal, State, and local laws in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of DIB-VDP or the law. If you engage in any activities that are inconsistent with the terms and conditions of DIB-VDP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-participating entity (e.g., other non-participating DoD other such third party), that non-DoD entity may independently determine whether to pursue legal action or remedies related to such activities.

DIB-VDP may modify the terms and conditions or terminate this policy at any time.