Security News > 2021 > August > CISA launches US federal vulnerability disclosure platform

Bug hunters who want to help the US federal government secure their online assets can now source all the relevant information from a vulnerability disclosure policy platform offered by the Cybersecurity and Infrastructure Security Agency.

"Through this crowdsourcing platform, Federal Civilian Executive Branch agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified," Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, explained.

Binding Operational Directive 20-01, released in September 2020, mandates that all FCEB agencies must develop and publish a vulnerability disclosure policy.

This newly established VDP platform is run by BugCrowd, a bug bounty and vulnerability disclosure company, and EnDyna, a government contractor that provides science and technology-based solutions to several US federal agencies.

The two companies will conduct an initial assessment of the vulnerability reports submitted, and the agencies will focus on those reports "That have real impact," Goldstein noted.

Generally, the agencies prohibit bug hunters to engage in physical testing of facilities, social engineering and other non-technical vulnerability testing, as well as testing that could impair access to or damage a system or data.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/AI4C9boeRfI/