The Cybersecurity and Infrastructure Security Agency officially launched its Vulnerability Disclosure Policy platform Friday, paving the way for private security researchers to poke and prod (selected) federal agency systems and websites for flaws without worrying about a potential knock on the door from law enforcement.
The VDP platform was built by crowdsourcing vulnerability research company BugCrowd and cybersecurity contractor EnDyna. The departments of Homeland Security, Labor and Interior will be the first federal agencies to participate in the project.
“This new platform allows agencies to gain greater insights into potential vulnerabilities, thereby improving their cybersecurity posture,” wrote Eric Goldstein, CISA’s executive assistant director for cybersecurity in a blog post Friday. “This approach also enables significant government-wide cost savings, as agencies no longer need to develop their own, separate systems to enable reporting and triage of identified vulnerabilities.”
BugCrowd’s website also lists a number of agencies currently participating in the program, including the Federal Communications Commission, the National labor Relations Board, the Federal Retirement Thrift Investment Board, the Millennium Challenge Corporation, USDA, the Privacy and Civil Liberties Oversight Board, the Equal Opportunity Employment Commission, the Occupation, Safety and Health Review Commission and the Court Services and Offender Supervision Agency.
Each participating agency’s page is composed of three sections: an overview of that agency’s vulnerability disclosure policy and a list of in scope systems, a “CrowdStream” tab to review bug submissions and public reports, and a “Hall of Fame” section that celebrates individual researchers who find unique, valid vulnerabilities.
The platform is part of a suite of services that CISA now offers to other agencies through their role as the Quality Service Management Offerings lead for cybersecurity. QSMOs allow certain departments of agencies to leverage their specific expertise to develop centralized and standardized shared service solutions that other departments and agencies can use. In addition to CISA, other QSMOs include the Department of the Treasury (core financial management services) the General Services Administration (civilian HR transaction services) and the Department of Health and Human Services (federal grants management, innovations and efficiencies.)
The idea is that by centralizing management and hosting within one specialist agency (CISA, in this case) it will save money and reduce the overall burden on the rest of the federal government. To that end, the platform will preliminarily vet the submissions for spam and quality before handing off the validated bug reports to the agencies themselves for remediation. CISA estimated that the government will collectively save about $10 million by leveraging the service.
It also serves as a capstone for efforts over the past few years to modernize the structure and process around vulnerability reporting for federal agencies, many of which did not have or define their own VDPs prior to a Binding Operational Directive issued by CISA last year mandating them.
Third-party vulnerability research and coordinated disclosure to the public can often be fraught with tensions between the researcher or companies who find such bugs for a living and the companies or entities that make affected products. Some organizations take a hostile posture towards outside researchers who find weaknesses in their systems or hardware, while others disagree about the severity of the flaw or downplay it for PR reasons. Sometimes, a researcher is threatened with civil or criminal penalties if they don’t desist, creating a need for legal safe harbor to do their work.
This dynamic is particularly perilous for systems that are owned or operated by the federal government, both because many agencies where a misunderstanding between a researcher and agency could potentially lead to criminal charges.
It’s why the cybersecurity industry has been more broadly pushing organizations in the private and public sector to develop and publish their vulnerability disclosure process, define the scope of the systems, websites and hardware in bounds for research and preemptively pledge not to pursue criminal or civil prosecution for researchers who are operating in good faith. The VDP platform is one of the first steps to incorporate that status quo in the federal government.