Vulnerability Management, Government Regulations

CISA: Vulnerability Disclosure Policy Platform Shows “Tremendous Growth”

Credit: Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA), through the Vulnerability Disclosure Policy (VDP) platform, received thousands of valid vulnerability reports in 2022, almost all of which were remediated, according to the agency’s inaugural annual report.

Specifically, as of December 2022, the VDP Platform had “facilitated the remediation of 1,119 vulnerabilities out of 1,330 unique, validated submissions,” or about 85%, the report said. The action saved the government millions of dollars in the process, CISA said.

How the VDP Platform Functions

A VDP enables agencies to identify and address security vulnerabilities in their software or systems before these can be exploited by threat actors. It also encourages researchers to report vulnerabilities and demonstrates federal agencies’ commitment to transparency, accountability, and collaboration with the public security researcher community.

Had a single one of the 1,119 remediated vulnerabilities been exploited, resulting in a full data breach, the federal government may have spent an estimated $4.35 million in response and recovery, with each vulnerability adding additional spending on response activities.”

The platform's foundation dates to 2019, its genesis coming from Operational Binding Directive (BOD) 20-01 that required all federal civilian agencies to develop and publish a Vulnerability Disclosure Policy. The idea was to enable vendors and defenders to fix problems before adversaries can cause harm.

In July 2021, CISA launched a government-wide VDP Platform to provide federal agencies a streamlined shared service to support the receipt and adjudication of VDP submissions. It is from both of those developments that sprung the 2022 annual report. The report, CISA said, showcases how users have leveraged the VDP Platform to “safeguard the Federal Civilian Executive Branch (FCEB).”

The platform has seen “tremendous growth,” including the onboarding of 40 agency programs,” said Jim Sheire, CISA's head of Cybersecurity Shared Services, in a blog post. Also, the platform allows agencies to submit vulnerabilities to CISA, which chronicles them in a “streamlined shared service.”

Platform Supports DHS Bug Bounty Events

The annual report also showcases how the VDP Platform was used to support bug bounty programs, which offer financial compensation using participating agency funds. The VDP Platform was leveraged for DHS’s pilot program “Hack DHS Bug Bounty Event.”

The program’s metrics, include:

  • 726 researchers invited
  • 13 participating DHS systems
  • 235 vulnerabilities identified
  • 40 critical vulnerabilities identified
  • $329,000 total awarded.

The end goal is to have researchers find bugs to share across government agencies in return for financial rewards. CISA pointed to a successfully supported a DHS team in a separate Log4j-specific bug bounty event that was created within 36 hours of the Log4j vulnerability’s emergence.

Private sector vendors EnDyna and Bugcrowd are partnering with CISA on the VDP platform.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.