CISA Launches New Vulnerability Disclosure Policy Platform

The VDP platform provides a single website where agencies can intake, triage, and route the vulnerabilities that researchers disclose.

Dark Reading Staff, Dark Reading

July 30, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has debuted its vulnerability disclosure policy (VDP) platform for the federal civilian enterprise.

Its launch of the VDP follows last fall's release of the Binding Operational Directive (BOD 20-01), issued in support of the Office of Management and Budget's M-20-32, "Improving Vulnerability Identification, Management, and Remediation." BOD 20-01 requires agencies to establish policies that enable the public to contribute and report vulnerability disclosures.

CISA's platform, run on Bugcrowd and EnDyna, is the newest shared service from CISA's Cyber Quality Services Management Office (QSMO). It provides a single and centrally managed website where agencies can list systems in scope for their vulnerability disclosure policies. On the platform, security researchers and members of the public can find flaws in agency websites and submit their reports for analysis. Among the agencies using the platform from the start are the Department of Homeland Security, Department of Labor, and Department of Interior.

This approach is also a cost-saving measure, notes Eric Goldstein, executive assistant director of cybersecurity at CISA, in a blog post on the news. Use of a single platform means agencies no longer need to develop their own disparate systems to enable bug reporting and triage.

"The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified," he writes. BugCrowd and EnDyna will conduct an initial assessment of submitted reports, he notes, freeing up agencies' resources "to focus on those reports that have real impact."

Read Goldstein's full blog post for more details.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights