CISA touts ‘tremendous growth’ in vulnerability disclosure platform

The U.S. federal government’s internal clearinghouse for cybersecurity vulnerabilities took in more than 1,300 valid reports in its first 18 months and prompted decisive action on most of them, saving as much as $4.35 million in estimated response and recovery efforts, according to the program’s first annual report.

The Vulnerability Disclosure Policy (VDP) Platform has seen “tremendous growth” in onboarding 40 agency programs since its launch in July 2021, the Cybersecurity and Infrastructure Security Agency said Friday in a news release.

The goal is to have an organized way for agencies to receive discoveries from cybersecurity researchers or other sources and share them across the government, including vulnerabilities identified during bug bounty contests. Typically agencies do not offer rewards for direct submissions, but they do award cash prizes through bug bounty competitions.

Agencies then make submissions to CISA, which collects them in “a streamlined shared service to support the receipt and adjudication” of important vulnerabilities.

“A VDP enables agencies to identify and address security vulnerabilities in their software or systems before these can be exploited by threat actors,” the agency said. “It also encourages researchers to report vulnerabilities and demonstrates federal agencies’ commitment to transparency, accountability, and collaboration with the public security researcher community.”

The report said that as of December 2022, the VDP Platform had “facilitated the remediation of 1,119 vulnerabilities out of 1,330 unique, validated submissions,” or a rate of about 85 percent. The remaining issues were "addressed by compensating controls while full remediation proceeds," said Jim Sheire, CISA's head of Cybersecurity Shared Services, meaning that the government found alternative ways to handle them, for now.

Some of the most commonly reported bugs involve cross-site scripting (XSS), which involve malicious code injected into an app or website; server misconfigurations; and data exposure due to poorly designed web applications or weak encryption, the report said.

Private sector vendors EnDyna and Bugcrowd are partnering with CISA on the program.

The agency issued a binding operational directive (BOD) in 2020 for federal civilian agencies to develop VDPs. The report does not specify which agencies are already participating. The deadlines in the DOB have passed.

This week House lawmakers introduced legislation that would expand the vulnerability disclosure mandate to federal contractors, not just the agencies themselves. On the military side, the Defense Department has separate vulnerability disclosure programs.