May 4 (UPI) -- The Pentagon announced Tuesday that it is expanding its Vulnerability Disclosure Program to include all publicly accessible information systems in the Defense Department.
The program grew out of the department's "Hack the Pentagon initiative," which started in 2016, according to a Pentagon press release.
In 2016 then-Defense Secretary Ashton Carter met with two hackers to congratulate them for alerting the Pentagon to potential vulnerabilities in several Defense Department websites.
The hackers were the most successful participants in a "Hack the Pentagon" event begun earlier that year -- the Defense Department's first-ever "bug bounty."
Prior to that, there was no way for ethical hackers to interact with the Department of Defense even if they spotted a vulnerability in its systems.
"Because of this, many vulnerabilities went unreported," Brett Goldstein, the director of the Defense Digital Service, said in the DoD's release. "The DOD Vulnerability Policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."
The DoD Cyber Crime Center oversees the Vulnerability Disclosure Program, which has received more than 29,000 vulnerability reports -- 70% of which have been found to be valid, according to officials.
The original policy was limited to the department's public-facing websites and applications, but now hackers are invited to investigate vulnerabilities related to all DOD publicly-accessible networks, Goldstein said in the release.
The expansion also includes frequency-based communication, the Internet of Things and industrial control systems.
"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," said Cyber Crime Center director Kristopher Johnson.
In July 2015 a Pentagon email system used by personnel of the Joint Chiefs of Staff was breached in a sophisticated cyberattack officials said was committed by Russian state actors.
In January 2020 the Pentagon announced that it would require at least some contractors bidding on defense contracts to certify that they meet "at least a basic level of cybersecurity standards" in their proposals.