CISA Expanding Mandatory Vulnerability Disclosure ProgramSecurity Agency Will Use Bugcrowd, EnDyna for Platform
The U.S. Cybersecurity and Infrastructure Security Agency is preparing to expand its vulnerability research and disclosure program, which is now mandatory for nearly all executive branch agencies within the federal government.
On Tuesday, CISA announced that it would establish a vulnerability disclosure policy platform for ethical hackers and security researchers to use to officially report bugs and flaws in applications and websites used by about 150 government agencies that fall under the umbrella of the federal civilian executive branch.
The cybersecurity agency is launching the disclosure platform in conjunction with Bugcrowd, which CISA will use to host the vulnerability disclosure platform, and EnDyna, a government IT contractor that will provide a SaaS component to the bug disclosure platform, according to the joint announcement (see: The Economics of Software Flaw Discoveries, Exploits).
The creation of a vulnerability disclosure platform for federal agencies is part of a binding operational directive that CISA issued in September 2020, which ordered most executive branch departments to create these programs in order to enhance security around the public-facing websites and apps that the government uses (see: US Agencies Must Create Vulnerability Disclosure Policies).
As part of the CISA order, most executive branch agencies had to create their vulnerability disclosure programs by March, which includes giving guidance to researchers for how to submit reports about vulnerabilities and bugs in federal IT systems and software.
"A vulnerability disclosure policy (VDP) is an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems. This directive requires each agency to develop and publish a VDP and maintain supporting handling procedures," according to CISA's operational directive order.
The creation of the vulnerability disclosure platform for executive branch agencies comes at a time when the Biden administration has made cybersecurity a significant priority in the wake of several ransomware incidents, including the Colonial Pipeline Co. attack, and nation-state hacking campaigns that have affected portions of the U.S. government.
As part of a cybersecurity-centric executive order issued on May 12, the White House is requiring executive branch agencies to remove some of the contractual barriers that hamper the sharing of threat intelligence between agencies that have responsibility for national security and cybersecurity, such as the FBI and CISA, and private companies that provide cloud and other IT services to the federal government (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
Under the newly established vulnerability disclosure program and platform, security researchers and ethical hackers will now have a dedicated portal hosted by Bugcrowd to report vulnerabilities and flaws to various government agencies.
Ashish Gupta, Bugcrowd CEO, says that hundreds of security researchers and ethical hackers who already use his company's platform have expressed interest in hunting for bugs and flaws across various federal networks.
"The whole idea behind a vulnerability disclosure program - among other things that are contained in CISA's operative directive - is that you now have the ability to get the knowledge of the public faster to help you secure your environment that much faster," Gupta tells Information Security Media Group.
Gupta notes that when the government vulnerability disclosure platform goes live over the next year - with some federal agencies starting before others - researchers and ethical hackers will focus on public-facing websites and applications first and that classified systems and networks are out of bounds for now. Also, CISA will not pay out bug bounties at first. This approach will help establish the program and ensure that researchers are focused on finding flaws in government applications.
"For now, it's more of a passive approach, where you're getting input and you're testing the bug bounty program, getting input from people who are interested to help give you some insight before putting incentives in place," Gupta says.
While most executive branch agencies do not have experience with vulnerability disclosure programs, the U.S. Department of Defense has proven that these types of bug-hunting initiates can be successful.
The "Hack the Pentagon" program was first launched in 2016 to encourage ethical hackers and security researchers to find flaws in public-facing Defense Department applications and websites. Since then, more than 29,000 vulnerabilities have been reported, with more than 70% of these flaws determined to be valid, according to the DOD.
In May, the Pentagon announced the program will be expanded to include all publicly accessible Defense Department systems, which includes internet of things devices, industrial control systems, networks and frequency-based communication systems (see: 'Hack the Pentagon' Program Expands).
Most of the Defense Department vulnerability programs, including one used by the U.S. Army, are operated through HackerOne, another disclosure platform provider, although Bugcrowd has previously worked with the U.S. Air Force on its bug disclosure programs.