The Cybersecurity and Infrastructure Security Agency (CISA), through its Vulnerability Disclosure Policy (VDP) platform, has helped save an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities across the Federal government.
The agency published its Vulnerability Disclosure Policy (VDP) Platform 2023 Annual Report on Monday, revealing that the platform has triaged over 12,000 submissions (over 7,000 in 2023) on behalf of 51 onboarded agency programs since its 2021 launch.
CISA said this has saved agencies “a significant amount of time and resources,” adding that over 2,400 unique, valid vulnerability disclosures have been identified – of which nearly 2,000 have been remediated by agencies.
“Throughout 2023, CISA focused on advocating for the increased agency adoption of the VDP Platform, supporting Federal civilian executive branch (FCEB) agencies in identifying vulnerabilities in their systems, and engaging the public security researcher community,” CISA said in a Sept. 30 press release.
In 2020, CISA issued a binding operational directive (BOD) requiring the Federal government to develop and publish vulnerability disclosure policies (VDP). The VDP platform allows FCEB agencies to coordinate with the civilian hacker community and receive security feedback from ethical hackers.
According to the report, the VDP platform saw “continued growth in 2023” with 11 new agency programs joining the platform. CISA said this “facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified, and vulnerabilities remediated.”
For example, the report says the number of “critical vulnerabilities” identified in agencies’ networks grew by 130 percent in 2023 compared to the previous year.
However, perhaps most notable is the “significant cost and time savings” the VDP platform offers Federal agencies.
“Federal agencies often have large attack surfaces and limited resources allocated to defend them, so efficiencies offered through the VDP Platform can have a significant impact on an agency’s ability to drive down cyber risk,” the report says.
“On average, participating agencies validate submissions two days faster than non-participating agencies,” it adds. “Across these agencies, an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities has been saved.”
The Federal agencies are not the only ones seeing monetary benefits. According to the report, the total payout or “bug bounty” for security researchers in 2023 was $335,000.