CISA Launches Vulnerability Disclosure Policy Platform for Civilian Agencies

The Cybersecurity and Infrastructure Security Agency has released its Vulnerability Disclosure Policy Platform for federal civilian agencies.

CISA said the VDP Platform serves as a centrally managed online website that government agencies can use to list systems covered by their vulnerability disclosure policies.

Security researchers and members of the public may analyze the items listed on the website to discover vulnerabilities and help improve agencies’ cybersecurity postures.

CISA expects the government to save more than $10 billion by eliminating the need for agencies to develop their own systems for reporting and diagnosing vulnerabilities. 

CISA said the platform provides a streamlined process for the research community to collaborate with agencies and submit vulnerability reports.

The product will be offered through CISA’s Quality Services Management Office, which serves as an outlet for the agency to offer cybersecurity capabilities to the government and potentially beyond.

CISA said the office also helps customers automate processes and data collection to reduce operational costs.

The departments of Homeland Security, Labor and the Interior are among the agencies that plan to immediately adopt the VDP Platform.

Bug bounty company Bugcrowd and federal technology company EnDyna developed the VDP Platform for CISA. 

The duo will be responsible for conducting initial assessments of the vulnerability reports submitted.

In September 2020, CISA issued a directive requiring agencies to establish policies that enable the public to contribute to federal cybersecurity.

Eric Goldstein, CISA’s executive director for cybersecurity, said the agency launched the VDP Platform “recognizing that policies alone are not sufficient.”

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now