Every day, security researchers find and enable mitigation of vulnerabilities in products and web sites around the world – allowing vendors and defenders to fix problems before adversaries can cause harm. In 2019, CISA took action to ensure that the American people benefit from this essential work by releasing Binding Operational Directive (BOD) 20-01, which requires all federal civilian agencies to develop and publish a Vulnerability Disclosure Policy (VDP).
At the same time, we knew it wasn’t enough to establish a Policy – we also had to make implementation a reality. In July 2021, we launched a government-wide VDP Platform to provide federal agencies a streamlined shared service to support the receipt and adjudication of VDP submissions. Today, CISA is excited to release its inaugural VDP Platform 2022 Annual Report, highlighting the service’s progress supporting vulnerability awareness and remediation across the federal enterprise.This report showcases how users have leveraged the VDP Platform to safeguard the Federal Civilian Executive Branch (FCEB).
Our VDP platform has seen tremendous growth, including the onboarding of 40 agency programs. It has received over 1,330 unique valid disclosures, and approximately 85% of these reports have been remediated. Through December 2022, the VDP Platform facilitated the remediation of over 1,000 vulnerabilities, including vulnerabilities present within CISA’s known exploited vulnerabilities catalog.
By establishing a VDP, federal agencies improve their vulnerability awareness, strengthen their security posture, and enjoy greater collaboration with the public security researcher community. A VDP enables agencies to identify and address security vulnerabilities in their software or systems before these can be exploited by threat actors. It also encourages researchers to report vulnerabilities and demonstrates federal agencies’ commitment to transparency, accountability, and collaboration with the public security researcher community.
The VDP Platform promotes an agency’s VDP to the public security researcher community, and harnesses that community’s expertise to search for and detect vulnerabilities that traditional scanning technology might not find. Moreover, CISA’s VDP Platform supports risk reduction by giving federal agencies a single, user-friendly interface to manage their VDP, intake vulnerability information, and collaborate with the public security researcher community. The VDP Platform helps participating agencies streamline day-to-day operations when intaking, managing, and reporting on cyber vulnerabilities identified by public security researchers. Benefits for participating agencies include the VDP Platform being centrally-funded by CISA and the platform’s time-saving capabilities like report validation, triaging, and reporting functions.
The annual report also showcases how the VDP Platform was utilized to support bug bounty programs, which are events that financially incentivize, using a participating agency funds, public security researchers to examine specific systems for vulnerabilities. The VDP Platform was leveraged for DHS’s “Hack DHS Bug Bounty Event,” a pilot program where 726 researchers were invited to search for and identify vulnerabilities across 13 DHS systems. Participating researchers identified 235 vulnerabilities, 40 of which were deemed critical. The VDP Platform successfully supported the DHS team in a separate Log4j-specific bug bounty event that was created within 36 hours of the Log4j vulnerability’s emergence. These events demonstrated that the VDP Platform could stand up and facilitate a successful bug bounty event quickly and efficiently.
CISA is actively engaging agency partners and identifying opportunities to enhance its service delivery. CISA looks forward to the continued improvement and growth of the VDP Platform across the federal enterprise in 2023 and beyond.
Also, CISA is actively seeking to enhance future collaborations with the public security researcher community and welcomes participation and partnership. To learn more about the VDP Platform, please view our VDP 101 video.
Agencies interested in receiving additional information on the VDP Platform should contact vdpplatform@cisa.dhs.gov.
###