The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has debuted its vulnerability disclosure policy (VDP) platform for the federal civilian enterprise.
Its launch of the VDP follows last fall's release of the Binding Operational Directive (BOD 20-01), issued in support of the Office of Management and Budget's M-20-32, "Improving Vulnerability Identification, Management, and Remediation." BOD 20-01 requires agencies to establish policies that enable the public to contribute and report vulnerability disclosures.
CISA's platform, run on Bugcrowd and EnDyna, is the newest shared service from CISA's Cyber Quality Services Management Office (QSMO). It provides a single and centrally managed website where agencies can list systems in scope for their vulnerability disclosure policies. On the platform, security researchers and members of the public can find flaws in agency websites and submit their reports for analysis. Among the agencies using the platform from the start are the Department of Homeland Security, Department of Labor, and Department of Interior.
This approach is also a cost-saving measure, notes Eric Goldstein, executive assistant director of cybersecurity at CISA, in a blog post on the news. Use of a single platform means agencies no longer need to develop their own disparate systems to enable bug reporting and triage.
"The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified," he writes. BugCrowd and EnDyna will conduct an initial assessment of submitted reports, he notes, freeing up agencies' resources "to focus on those reports that have real impact."
Read Goldstein's full blog post for more details.