The Cybersecurity and Infrastructure Security Agency (CISA) reported that its Vulnerability Disclosure Policy (VDP) platform has helped agencies uncover and address more than 1,000 bugs through December 2022.
Of that total, nearly 200 of the vulnerabilities surfaced through the platform are considered “critical,” CISA said.
According to its inaugural report on the VDP Platform – published on Aug. 25 – 40 agency programs have joined the CISA platform and received more than 1,300 “validated” vulnerability submissions from researchers. CISA launched the platform in July 2021.
“Our VDP platform has seen tremendous growth, including the onboarding of 40 agency programs. It has received over 1,330 unique valid disclosures, and approximately 85% of these reports have been remediated,” CISA’s Chief of the Cybersecurity Shared Services Office, Jim Sheire, wrote in a blog post. “Through December 2022, the VDP Platform facilitated the remediation of over 1,000 vulnerabilities, including vulnerabilities present within CISA’s known exploited vulnerabilities catalog.”
In a September 2020 binding operational directive, CISA told agencies to develop and publish a VDP to allow good-faith security research on all internet-accessible systems or services.
“By establishing a VDP, federal agencies improve their vulnerability awareness, strengthen their security posture, and enjoy greater collaboration with the public security researcher community,” Sheire wrote. “A VDP enables agencies to identify and address security vulnerabilities in their software or systems before these can be exploited by threat actors.”
It also encourages researchers to report vulnerabilities and demonstrates federal agencies’ commitment to transparency, accountability, and collaboration with the public security researcher community, the blog reads.
“The VDP Platform promotes an agency’s VDP to the public security researcher community, and harnesses that community’s expertise to search for and detect vulnerabilities that traditional scanning technology might not find,” Sheire added. “Moreover, CISA’s VDP Platform supports risk reduction by giving federal agencies a single, user-friendly interface to manage their VDP, intake vulnerability information, and collaborate with the public security researcher community.”
According to CISA, the VDP Platform helps participating agencies streamline day-to-day operations when intaking, managing, and reporting on cyber vulnerabilities identified by public security researchers.
Other benefits for participating agencies include the platform being centrally-funded by CISA, and the time-saving capabilities like report validation, triaging, and reporting functions.
Out of the more than 1,300 reports that were found to be valid disclosures, CISA reports that 192 were “critical” vulnerabilities considered to be among the most dangerous, serious bugs. Eighty-two were “severe” vulnerabilities, while 757 were considered “moderate” and 299 considered “low/informational.”
The use of bug bounties – when agencies specifically pay researchers to find vulnerabilities – is voluntary under the CISA VDP platform. CISA reports that bug bounties “tend to draw elite researchers” since financial compensation is in play.
The Department of Homeland Security (DHS) launched a “Hack DHS” bug bounty program that allowed researchers to probe 13 DHS systems for vulnerabilities. They uncovered 235, including 40 “critical” bugs, with payouts totaling $329,900.
And when the Log4j vulnerability hit in late 2021, DHS launched a separate bug bounty leveraging its new platform to find any instances of the critical bug on its networks. The Log4j example shows “the flexibility of the VDP Platform,” CISA’s report notes, while “laying a path for other agencies to follow for future widespread vulnerabilities.”