CISA debuts vulnerability disclosure platform
Federal civilian agencies can tap a bug reporting system fielded as a shared service by the Cybersecurity and Infrastructure Security Agency to gather information on potential website and software vulnerabilities.
Federal civilian agencies can now use a bug reporting system to gather information on potential website and software vulnerabilities.
Fielded as a shared service by the Cybersecurity and Infrastructure Security Agency, the new vulnerability disclosure platform is the first federal civilian enterprisewide, crowdsourced VDP platform, according to the website. There are currently 11 agencies listed on the platform, which invites cybersecurity researchers to submit reports about potential flaws on agencies’ internet-accessible systems. Participating organizations include the departments of Homeland Security, Agriculture and Labor and the National Labor Relations Board and the Federal Retirement Thrift Investment Board.
According to a CISA fact sheet, the software-as-a-service-based platform is expected to include functionality that screens and validates submitted reports, tracks vulnerability reports by reporter and vulnerability type, allows agency users to create and manage role-based accounts and offers an application programming interface to act on vulnerability reports. Additionally CISA plans for the VDP platform to deliver metrics that ease reporting requirements and to send alerts on updates, events of interest and upcoming deadlines or approaching thresholds.
Vendors BugCrowd and EnDyna are providing the platform, and contract employees will take the first look at reports submitted, conducting an initial assessment of the submitted vulnerabilities. According to a news release by CISA, giving the first read of bug reports to contractors will "free up agencies' time and resources and allow agencies to focus on those reports that have real impact."
As the cybersecurity shared services provider to the civilian federal government, CISA has taken the lead in offering agency access to cybersecurity services. Agencies that adopt the VDP will have their own profile in the platform that gives them access submissions and statistics, the fact sheet said.
This article was first posted to FCW, a sibling site to Defense Systems.