Embed Size (px)
Citation preview
A Federal Cyber Center
VDP Performance Report
Mission Brief: The U.S. Government will promote regular testing and exercising of the cybersecurity and resilience of products and systems during development using best practices from forward-leaning industries. This also includes promotion and use of coordinated vulnerability disclosure, crowd-sourced testing, and other innovative assessments that improve resiliency ahead of exploitation or attack.
—National Cyber Strategy of the United States of America. September 2018
DoD Cyber Crime Center (DC3)Bug Bytes—June 2019
DoD Vulnerability Disclosure Program
@DC3VDP [email protected]
Vulnerability TypesLeading CWE’s for the Month Number of Submissions
Cross-site Scripting (XSS) - Reflected 28Information Disclosure 17Path Traversal 7Violation of Secure Design Principles 6Open Redirect 3
Grand Total Vulnerabilities Since Launch
9,892 (as of 30JUN2019)
Total Number of Researchers from launch
1,201
DoD Return on Investment (ROI)
797%
Knowledge Bytes What’s the difference between CWE and CVE?
Common Weakness Enumeration (CWE): Computer Software/Patch Malfunctions Common Vulnerabilities Exposures (CVE): Security Exposures
Researcher of the Month!We are excited to announce the June 2019 DoD VDP Researcher of theMonth Award goes to Regan “Scrag” Doyle with HackerOne! He submitted a high severity finding that could allow an adversary to collect sensitive PII data from a DoD website vulnerable to IDOR. Great work and thank you!
Risk
Vulnerability
Exploit
0
100
200
300
400
500
600
Apr
-18
May
-18
Jun-
18
Jul-1
8
Aug
-18
Sep
-18
Oct
-18
Nov
-18
Dec
-18
Jan-
19
Feb-
19
Mar
-19
Apr
-19
May
-19
Jun-
19
New Vulnerabilites Submitted by Month(1337)
14%
32%
27%
27%
Severity
Critical/ HighMediumLowOut of Scope
