In the first 18 months of its existence, the federal government launched its vulnerability disclosure platform, the 40 participating agencies have received more than 1,300 valid bug reports, nearly 200 of which were for critical vulnerabilities in agency systems.
The establishment of the government’s VDP was the result of a 2020 binding operational directive from the Cybersecurity and Infrastructure Security Agency (CISA) that required all civilian federal agencies to develop a vulnerability disclosure policy (VDP). Although VDPs have become relatively popular in the private sector, they were not prevalent at all in the federal government until the directive came out. The goal was to engage the security research community to help identify vulnerabilities in federal networks, while giving those researchers a framework within which to report new bugs to the agencies.
Since the VDP platform launched in 2021, 40 agencies have joined the platform and researchers have submitted 4,091 issues. A total of 1,330 of those issues were validated as actual vulnerabilities by the triage team, and 1,119 of those have been remediated by the agencies involved. The majority of those valid submissions (757) were rated as moderate bugs, while 82 were severe and 192 were critical.
“A VDP enables agencies to identify and address security vulnerabilities in their software or systems before these can be exploited by threat actors. It also encourages researchers to report vulnerabilities and demonstrates federal agencies’ commitment to transparency, accountability, and collaboration with the public security researcher community,” Jim Sheire, chief of the Cybersecurity Shared Services Office, said in a post on the VDP annual report for 2022, released Friday.
“The VDP Platform helps participating agencies streamline day-to-day operations when intaking, managing, and reporting on cyber vulnerabilities identified by public security researchers. Benefits for participating agencies include the VDP Platform being centrally-funded by CISA and the platform’s time-saving capabilities like report validation, triaging, and reporting functions.”
Although the CISA directive only applies to federal civilian agencies, there is some interest in extending the requirement to federal contractors. Last week, Rep. Nancy Mace (R-S.C.) introduced a bill that would require contractors to implement policies for vulnerability reporting that conform with National Institute of Standards and Technologies’ guidelines. Given how much sensitive data federal contractors handle, vulnerabilities in their networks and systems can have broad effects on the security of government data and systems.
“By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly,” said Mace. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information."
Implementing a VDP is not a simple or quick process, even for large enterprises or government agencies, requiring financial and human resources as well as considerable time to get it right. So any requirement for federal contractors to implement a VDP, if passed, would not be an immediate change.