CISA debuts vulnerability disclosure platform
Federal civilian agencies can tap a bug reporting system fielded as a shared service by the Cybersecurity and Infrastructure Security Agency to gather information on potential website and software vulnerabilities.
Federal civilian agencies can now use a bug reporting system fielded as a shared service by the Cybersecurity and Infrastructure Security Agency to gather information on potential website and software vulnerabilities.
The Department of Homeland Security, CISA's parent agency, signed on as an early adopter of the new vulnerability disclosure platform (VDP). The Departments of the Interior and Labor also intend to use the new system, which invites cybersecurity researchers to submit reports about potential flaws on internet-accessible government systems.
Vendors BugCrowd and EnDyna are providing the platform, and contract employees will take the first look at reports submitted, conducting an initial assessment of the submitted vulnerabilities. According to a news release by CISA, giving the first read of bug reports to contractors will "free up agencies' time and resources and allow agencies to focus on those reports that have real impact."
As the cybersecurity shared services provider to the civilian federal government, CISA has taken the lead in offering agency access to cybersecurity services. Agencies that adopt the VDP will have their own profile in the platform that gives them access submissions and statistics, according to a CISA fact sheet.
Bug bounties are optional, according to the fact sheet.