The Cybersecurity and Infrastructure Security Agency (CISA) is leading the call for a governmentwide vulnerability disclosure platform, with a request for proposals from agencies coming as soon as summer 2020.
CISA released the original request for information (RFI) in December 2019, detailing the agency’s interest in a software-as-a-service (SaaS) web application to report vulnerabilities and alert Federal information systems of potential issues. In response to the feedback it received, the agency released a May 26 follow-up RFI that confirmed a request for proposals was coming this summer.
The vulnerability disclosure platform will be an existing, commercially available SaaS platform providing executive civilian agencies with a centralized vulnerability disclosure platform and standardized submission, tracking, and routing of vulnerability reports. The reports will be directed to security researchers for resolution. CISA is also open to the possibilities of including financial incentives – so-called “bug bounties” – for valid submissions.
The SaaS service provider will assist CISA with project management support services and administration and operation of the vulnerability disclosure platform. The RFI also requests the service provider’s assistance with triage services and the bug bounty program.
The deadline for responding to the RFI has passed, but a lack of response will not impact service providers’ ability to respond to the forthcoming request for proposals.