Security Experts:

CISA Announces Vulnerability Disclosure Policy Platform

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today announced that it has partnered with the crowdsourced cybersecurity community for the launch of its vulnerability disclosure policy (VDP) platform.

Working in collaboration with bug bounty platform Bugcrowd and government technology contractor Endyna, CISA introduced its VDP platform to help Federal Civilian Executive Branch (FCEB) agencies identify and address vulnerabilities in critical systems.

The platform was launched in support of Binding Operational Directive (BOD) 20-01, through which the Department of Homeland Security (DHS) instructed all federal agencies to develop and publish a vulnerability disclosure policy.

Courtesy of the new initiative, FCEB agencies will have the opportunity to coordinate with the civilian hacker community to identify and monitor vulnerabilities in their systems.

In addition to taking advantage of the CISA-funded VDP platform service, FCEB agencies can also implement their own bug bounty programs powered by Bugcrowd and Endyna, which has been awarded a one-year contract to provide a Software-as-a-service (SaaS) component for the platform.

The VDP platform service will provide vulnerability and user management and will also perform administrative and support operations. Centrally managed by CISA’s Cybersecurity Quality Services Management Office (Cyber QSMO), it will also facilitate the sharing of vulnerability information across agencies.

“CISA’s Vulnerability Disclosure Policy (VDP) Platform will support agencies with the option to use a centrally-managed system to intake vulnerability information from and collaborate with the public to improve the security of the agency’s internet-accessible systems. In furtherance of CISA’s issuance of Binding Operational Directive (BOD) 20-01, CISA’s Platform aims to promote good faith security research, ultimately resulting in improved security and coordinated disclosure across the federal civilian enterprise,” CISA says.

Related: DOD Expands Vulnerability Disclosure Program to Web-Facing Targets

Related: UK's NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process

Related: NSA, DHS Issue Guidance on Protective DNS

view counter