Over the last few years, government agencies like the U.S. Department of Defense have been crowdsourcing their cybersecurity and tapping into the knowledge of security researchers.
Now, federal civilian agencies are moving that same direction.
The Cybersecurity and Infrastructure Security Agency (CISA) has announced its new Vulnerability Disclosure Policy (VDP) Platform, which will be a service to Federal Civilian Executive Branch (FCEB) agencies.
FCEB agencies will now be able to communicate effectively with the public hacker community, allowing them to identify and monitor vulnerabilities in critical systems.
This further develops CISA's Binding Operational Directive (BOD) 20-01, which requires all FCEB agencies to develop and publish a VDP.
CISA says the platform "aims to promote good faith security research, ultimately resulting in improved security and coordinated disclosure across the federal civilian enterprise."
The platform is anticipated to be a software-as-a-service application that will be the main point of entry for vulnerability reporters and will alert other participating agencies of problems.
Here is a visual display from CISA of how the platform will work:
And here is how it describes the role of each player on the platform:
The primary goal of this platform is to encourage collaboration and information sharing between the public and private sectors.
This is a point the Biden Administration has made with its recent Executive Order, asking people to share any relevant cybersecurity information related to the recent string of ransomware attacks.
[RELATED: 5 Top Themes from Biden's Executive Order on Cybersecurity]
CISA claims that there are three major benefits to the platform, which are:
To make the VDP platform as effective as it can be, CISA has teamed up with Bugcrowd, a crowdsourced cybersecurity company, and Endyna, a government contractor that provides technology-based solutions.
Here is Ashish Gupta, CEO and President of Bugcrowd, on the need for this platform:
"As seen in the commercial and defense sectors, crowdsourced cybersecurity and vulnerability disclosure programs are a critical safeguard in helping reduce the risk of breach."
CISA says that any agency interested in participating or receiving additional information about the platform should contact the Cyber QSMO at QSMO@hq.dhs.gov.