CISA debuts vulnerability disclosure platform

Federal civilian agencies can now use a bug reporting system fielded as a shared service by the Cybersecurity and Infrastructure Security Agency to gather information on potential website and software vulnerabilities.

The Department of Homeland Security, CISA's parent agency, signed on as an early adopter of the new vulnerability disclosure platform (VDP). The Departments of the Interior and Labor also intend to use the new system, which invites cybersecurity researchers to submit reports about potential flaws on internet-accessible government systems.

Vendors BugCrowd and EnDyna are providing the platform, and contract employees will take the first look at reports submitted, conducting an initial assessment of the submitted vulnerabilities. According to a news release by CISA, giving the first read of bug reports to contractors will "free up agencies' time and resources and allow agencies to focus on those reports that have real impact."

As the cybersecurity shared services provider to the civilian federal government, CISA has taken the lead in offering agency access to cybersecurity services. Agencies that adopt the VDP will have their own profile in the platform that gives them access submissions and statistics, according to a CISA fact sheet.

Bug bounties are optional, according to the fact sheet.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

2021 Digital Almanac

Stay Connected

Latest Forum Posts

Ask the Expert

Have a question regarding your federal employee benefits or retirement?

Submit a question