computer

CISA: Thousands of bugs remediated in second year of vulnerability disclosure program

Thousands of vulnerabilities were identified and remediated through a government clearinghouse in 2023, according to a new report from the nation’s top cybersecurity agency. 

The Cybersecurity and Infrastructure Security Agency (CISA) published its second report on the Vulnerability Disclosure Policy (VDP) Platform, which launched in 2021 as an organized way for federal civilian agencies to take in bug discoveries from researchers and resolve them.

CISA said through VDP, it triaged more than 7,000 submissions in 2023 on behalf of 51 federal agencies. 

Screen Shot 2024-10-01 at 5.25.36 PM.png

Image: CISA

With 11 new agency programs onboarding in 2023, the VDP Platform drew heightened researcher attention and engagement, which facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified and vulnerabilities remediated, CISA explained.

In its second full year of operation, they saw a total of 7,058 submissions, 1,094 valid disclosures and 872 remediated vulnerabilities. The number of critical vulnerabilities identified also increased to 250 in 2023.

“The VDP Platform offers agencies significant cost and time savings. While VDPs are a critical component of an agency’s vulnerability management process, implementation and management come with associated costs for agencies,” CISA said. 

“Handling disclosed vulnerabilities, triaging reports, corresponding with security researchers, and collecting and reporting required metrics are all labor-intensive steps that draw agency resources away from prioritizing valid vulnerability submissions and coordinating remediation activities.” 

Federal agencies typically have large attack surfaces and protect vast amounts of sensitive data but lack the resources to adequately protect themselves. VDP allows CISA to mitigate some of this risk, providing an extra layer of protection for agencies delivering public services. 

CISA said agencies that participate in VDP are able to save an average of about $4.45 million in potential remediation costs and are able to validate submissions two days faster than agencies that do not participate. CISA is also using VDP to gain better insight into vulnerability disclosures and threat trends across federal agencies.

Screen Shot 2024-10-01 at 5.24.59 PM.png

Image: CISA

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.