The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new vulnerability disclosure policy (VDP) platform for the Federal civilian enterprise that provides a single crowdsourcing platform for agencies to report vulnerabilities.
The platform, provided by BugCrowd and EnDyna, supports CISA’s Binding Operational Directive from last fall, which requires the Federal government to develop and publish VDPs.
“The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, wrote in a blog post. “This new platform allows agencies to gain greater insights into potential vulnerabilities, thereby improving their cybersecurity posture.”
Additionally, the platform is expected to offer significant cost savings to agencies, which no longer need to develop their own systems for vulnerability reporting. CISA estimates the platform will provide over $10 million in government-wide cost savings.
“Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings,” Goldstein wrote. “The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified.”
BugCrowd and EnDyna will conduct an initial assessment of the vulnerability reports submitted, allowing agencies to focus on accurate and impactful reports.
So far, the VDP platform has 11 participating programs, including the Department of Homeland Security, the Department of Labor, the Federal Communications Commission, and the Department of Agriculture.