Federal civilian agencies can now use a new vulnerability disclosure policy platform (VDP) that enables security researchers and members of the general public to report bugs they’ve uncovered in agency websites and submit the flaws for analysis.
The shared service is being run by the Cybersecurity and Infrastructure Security Agency (CISA) through its Cybersecurity Quality Services Management Office (Cyber QSMO) marketplace as the final version of the Binding Operational Directive (BOD 20-01), issued in support of the Office of Management and Budget M-20-32, Improving Vulnerability Identification, Management, and Remediation.
“This Directive reflects CISA’s commitment to strengthening cybersecurity and resilience for federal civilian agencies by requiring agencies to establish policies enabling the public to contribute and report vulnerability disclosures,” wrote Eric Goldstein, CISA Executive Assistant Director for Cybersecurity Eric Goldstein, in a blog post announcing the platform. “Recognizing that policies alone are not sufficient, we also announced plans to launch a vulnerability disclosure platform service in the near future. Today, the future arrived.”
The crowdsourcing style VDP gives federal agencies an avenue to lighten the load of complying with the binding operational directive, Goldstein said. The Department of Homeland Security, CISA's parent agency, has signed on to VDP as have the Department of the Interior and the Labor Department.
Service providers BugCrowd and EnDyna are providing the platform, which is expected to save more than $10 million across government agencies by streamlining input from the security research community and providing those reporting bugs with a single website to facilitate submission of vulnerabilities. In addition, agencies can use the platform as a primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers.
Both vendors will conduct an initial assessment of the submitted vulnerability reports which will free up agencies’ time and resources to focus on those reports that have real impact and help federal civilian agencies improve day-to-day operations when managing vulnerabilities in their information systems, Goldstein wrote. In addition, agencies can use the platform as a primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers.
“Our goal is for the platform to act as a centralized vulnerability disclosure mechanism to enhance information sharing between the public and federal agencies,” the CISA executive said. “This approach will improve agencies ability to analyze, address, and communicate disclosed vulnerabilities.”