Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Announces Vulnerability Disclosure Policy Platform

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today announced that it has partnered with the crowdsourced cybersecurity community for the launch of its vulnerability disclosure policy (VDP) platform.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today announced that it has partnered with the crowdsourced cybersecurity community for the launch of its vulnerability disclosure policy (VDP) platform.

Working in collaboration with bug bounty platform Bugcrowd and government technology contractor Endyna, CISA introduced its VDP platform to help Federal Civilian Executive Branch (FCEB) agencies identify and address vulnerabilities in critical systems.

The platform was launched in support of Binding Operational Directive (BOD) 20-01, through which the Department of Homeland Security (DHS) instructed all federal agencies to develop and publish a vulnerability disclosure policy.

Courtesy of the new initiative, FCEB agencies will have the opportunity to coordinate with the civilian hacker community to identify and monitor vulnerabilities in their systems.

In addition to taking advantage of the CISA-funded VDP platform service, FCEB agencies can also implement their own bug bounty programs powered by Bugcrowd and Endyna, which has been awarded a one-year contract to provide a Software-as-a-service (SaaS) component for the platform.

The VDP platform service will provide vulnerability and user management and will also perform administrative and support operations. Centrally managed by CISA’s Cybersecurity Quality Services Management Office (Cyber QSMO), it will also facilitate the sharing of vulnerability information across agencies.

“CISA’s Vulnerability Disclosure Policy (VDP) Platform will support agencies with the option to use a centrally-managed system to intake vulnerability information from and collaborate with the public to improve the security of the agency’s internet-accessible systems. In furtherance of CISA’s issuance of Binding Operational Directive (BOD) 20-01, CISA’s Platform aims to promote good faith security research, ultimately resulting in improved security and coordinated disclosure across the federal civilian enterprise,” CISA says.

Related: DOD Expands Vulnerability Disclosure Program to Web-Facing Targets

Related: UK’s NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process

Related: NSA, DHS Issue Guidance on Protective DNS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.