Despite regular security audits, attackers continue to intrude on business and government networks by exploiting unpatched vulnerabilities. To help federal civilian agencies in the U.S. manage their vulnerability disclosure process, the Cybersecurity and Infrastructure Security Agency (CISA) unveiled a new vulnerability disclosure policy (VDP).
The VDP program enables security researchers and bug hunters to report any unpatched vulnerabilities in the federal systems to fix them before attackers exploit them.
Launched with the help of cybersecurity firms Bugcrowd and Endyna, the VDP platform offers an official website for agencies to list their vulnerability disclosure policies and bug hunters can post their vulnerability reports for analysis. BugCrowd and EnDyna will conduct the initial assessment of the vulnerability reports submitted by the researchers and later report it to the agencies. Various government agencies including the Department of Homeland Security (DHS), the Department of Interior (DoI), and the Department of Labor (DoL) are planning to leverage the new platform.
It shouldn’t be hard to report a vulnerability. @CISAgov‘s NEW Vulnerability Disclosure Platform makes it easy & safe to notify federal agencies of vulnerabilities so they can be fixed.
See a vulnerability? Report it: https://t.co/LHxeSAA3MA
Research community 🤝 @CISAgov pic.twitter.com/92nLE7tKGt
— Jen Easterly (@CISAJen) July 30, 2021
The crowdsourcing platform will give a clear picture to the Federal Civilian Executive Branch (FCEB) agencies on the potential vulnerabilities, which will eventually help enhance their overall cybersecurity posture.
The new platform will also help the government curb unnecessary expenses on cybersecurity, as agencies no longer need to introduce separate vulnerability disclosure programs. CISA estimates over $10 million in government-wide cost savings will be attained by leveraging its Cyber Quality Services Management Office (QSMO) shared services approach.
“CISA’s VDP Platform will help the FCEB improve day-to-day operations when managing vulnerabilities in their information systems. Agencies have the option to utilize the platform to serve as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers. Our goal is for the platform to act as a centralized vulnerability disclosure mechanism to enhance information sharing between the public and federal agencies. This approach will improve agencies ability to analyze, address, and communicate disclosed vulnerabilities,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA.
CISA’s Cyber Action Plan
CISA always alerts organizations to address any critical bugs in their system to avoid potential cyberattacks. Recently, the federal agency warned organizations to fix multiple vulnerabilities affecting Ivanti Pulse Connect Secure (PCS) VPN appliances on their network systems. The agency warned about the actively exploited vulnerabilities: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893. Read More Here…