The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) last week introduced a new platform that allows federal civilian agencies to enable security researchers to legally probe select information systems and websites and report on vulnerabilities they discover.
The platform follows the release in September 2020 by CISA of a Binding Operational Directive to the federal civilian executive branch requiring most agencies to create a vulnerability disclosure policy (VDP), which establishes mechanisms and methods for people that “find flaws in an agency’s digital infrastructure” where to report and the types of testing allowed for which systems.
The VDP Platform essentially provides a channel for security researchers and others to examine website and public-facing information systems for vulnerabilities, alerting agencies to potential weaknesses in their systems for fixing.
The new “VDP Platform provides a single, centrally managed website that agencies can leverage as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by researchers,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, wrote July 29 on the agency’s blog. “It enables researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis.”
So far, 11 departments and agencies are participating in the VDP Platform, including DHS. The agencies list their websites that are “in-scope” for security researchers to search for, and report on, vulnerabilities.
The VDP Platform was created by Bugcrowd Inc. and EnDyna for CISA.