The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it has launched a vulnerability disclosure platform (VDP) in partnership with the crowdsourced security community.
CISA launched its VDP platform along with Bugcrowd, a bug bounty platform, and Endyna, a government technology contractor, to assist Federal Civilian Executive Branch (FCEB) agencies in identifying and addressing vulnerabilities in critical systems.
In addition, this platform will help CISA share information with other agencies about security flaws.
“As seen in the commercial and defense sectors, crowdsourced cybersecurity and vulnerability disclosure programs are a critical safeguard in helping reduce the risk of breach,” said Ashish Gupta, CEO and President of Bugcrowd. “The need for cyber resilience and risk management is unprecedented in today’s digitally connected world and the partnership between CISA and Bugcrowd provides the most powerful crowdsourced cybersecurity platform solution to address the government’s growing need for contextually intelligent security assessments to protect its vast attack surface. We are honored to be the first crowdsourced cybersecurity vendor to work with CISA on an FCEB-wide proactive defense strategy through our VDP solution.”
“We are firmly committed to enhancing government defenses and improving security operations across network infrastructures,” said Ashok Siddhanti, CEO of Endyna. “Our fundamental goal is to radically improve the FCEB’s ability to detect and remediate security gaps within these respective agencies’ digital infrastructures, and we look forward to working with Bugcrowd to advance government security.”
CISA’s Platform encourages vulnerability correspondence between the public and participating agencies, providing several benefits to those agencies, including:
- Compliance with Federal Requirements: The Platform will be centrally managed by CISA’s Cybersecurity Quality Services Management Office (Cyber QSMO), which will ensure the Platform meets all relevant government-wide standards, policy, and business requirements.
- Reduced Agency Burden: The Platform service provider will host and manage the Platform, including administrative responsibilities, user management, and support. The service will include basic assessing of vulnerability reports submitted, enabling agencies to focus on those reports that have real impact.
- Improved Information Sharing Across Federal Enterprise: By allowing CISA to maintain insight into disclosure activities, the Platform will increase the sharing of vulnerability information across agencies.
The Platform will provide a primary point of entry for vulnerability reporters to alert participating agencies of potential issues on federal information systems. Below outlines some of the expected functionality of the CISA Platform.
- Screens spam and performs a base level of validation of the submitted report.
- Tracks reported vulnerabilities and link reports that are related by reporter, vulnerability type, or other purpose.
- Provides a web-based communication mechanism between the reporter and the agency.
- Allows agency users to create and manage role-based accounts for their organization or suborganizations.
- Offers an application programming interface (API) to take various actions on vulnerability reports or pull metrics.
- Delivers metrics around reports, minimizing agency burden in complying with BOD 20-01’s reporting requirements.
- Gives alerts to the reporter and agency users on updates, as well as to CISA based on events of interest, metrics approaching or hitting defined thresholds, etc. These alerts should be configurable in the user interface and available via API.
- Additional information regarding functionality will become available as acquisition of the Platform is completed.