Building a VDP Program: Lessons from the Battlefield

Logo
Presented by

Charles G. Yarbrough, Senior Engineer, Software Engineering Institute

About this talk

The DoD's Vulnerability Disclosure Program (VDP) is the oldest and largest such program in the world. Born as a permanent sustainment of the 2016 Hack the Pentagon Bug Bounty Program, the DoD VDP is the central point for crowdsourced vulnerability discovery and also tracks vulnerabilities from initial report to completed mitigation. This presentation will: Enrich: Provide historical background and the need for building VDP programs as well as a new methodological construct of the vulnerability lifecycle to better understand vulnerability data. Enable: Outline the functions and stakeholder roles in building a VDP. Through a case study of a buildout of a Defense Industrial Base VDP program, we'll show how VDPs can help inoculate organizations through vulnerability information sharing. Excel: Reduce an attack surface through an additional outer layer of defense. Learning objectives: 1. Describe what a vulnerability disclosure program (VDP) is and why it is an important component of an organization's security platform. 2. Define how a VDP differs from traditional vulnerability management programs. 3. Describe ways that a vulnerability can be shared between organizations in order to better protect security partners.
Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (107)
Subscribers (21172)
(ISC)² Security Congress channel contains digital content of activities at (ISC)2's Flagship conference event. You'll find keynotes, sessions and related items.