A program launched two years ago that allows security researchers to probe for cyber vulnerabilities in federal civilian agency networks has resulted in more than 1,300 valid disclosures, 85 percent of which have been remediated, any one of which could have cost the government about $4.4 million on average in response and recovery if it had been exploited, a Department of Homeland Security agency said last week.
The Vulnerability Disclosure Policy (VDP) Platform, which grew out of a 2019 Binding Operational Directive released by the Cybersecurity and Infrastructure Security Agency (CISA) for all federal civilian agencies to create a VDP, has onboarded 40 agency programs and through December 2022 received 1,330 valid disclosures. Of these, 1,119 have been remediated, CISA said last Friday in the 2022 VDP Platform Annual Report.
The 1,330 validated disclosures were culled from nearly 4,100 unique submissions of potential vulnerabilities.
The VDP Platform was developed by two private sector vendors, EnDyna and Bugcrowd, and gives public security researchers a centralized dashboard to search for and disclose vulnerabilities on approved systems of federal civilian agencies. The platform in turn gives these agencies an opportunity to learn of potential cybersecurity vulnerabilities on their systems that otherwise might not be disclosed.