The Cybersecurity and Infrastructure Security Agency (CISA) plans to launch a crowdsourced bug reporting site serving a range of federal government agencies. The Department of Homeland Security's cyber arm will work with Bugcrowd, a crowdsourced bug reporting site, to launch the project.
CISA will offer the bug reporting platform to federal government agencies. While it won't be a paid bug bounty program, it'll give security researchers a way to report bugs to government organizations through a system that guarantees a response and ensures officials note all bugs.
The deal follows the announcement of Binding Operational Directive 20-01 last September, in which CISA laid out plans to create a vulnerability disclosure policy (VDP). It directed agencies to publish a VDP policy on their websites within 180 days, describing what systems it covers and how security researchers can report bugs. It also mandates timelines for acknowledging and dealing with each bug.
Government technology contractor Endyna will support the reporting platform under a one-year software as a service (SaaS) contract. The arrangement includes an optional extension of up to four years.
The VDP effort has been brewing for a while. CISA originally published the draft of BDO 20-01 in November 2019, inviting public comment on the issue. The final BDO — and the forthcoming program — will carry forward some of CISA's original suggestions, including the mandatory inclusion of all new computing systems in the scope of an agency's VDP.
The directive also set out a two-year deadline for including all internet-accessible systems in agency VDPs.
RELATED RESOURCE
Don’t just educate: Create cyber-safe behaviour
Designing effective security awareness and training programmes
If nothing else, this should reduce the danger of legal threats against white hat hackers trying to report bugs to federal agencies. It mandates that agencies not issue threatening language as part of their VDP or pursue legal action against researchers trying to report bugs in good faith.
The directive also states CISA won't send any bugs it collects to the Vulnerabilities Equities Process (VEP). VEP is a government initiative that gives intelligence officials the option to store bugs secretly as potential weapons rather than releasing them to the public.
The Pentagon has taken its own approach to vulnerability reporting by offering paid bug bounty programs, including a new one launched this week.
-
A Windows 11 update bug is breaking SSDs – here’s what you can do to prevent itNews Users first began reporting the Windows 11 update bug last week
-
UK government set to back down on Apple encryption orderNews Tulsi Gabbard, US director of national intelligence, has confirmed the UK plans to back down on plans that would see Apple forced to create a "back door" for authorities.
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
‘All US forces must now assume their networks are compromised’ after Salt Typhoon breachNews The announcement marks the second major Salt Typhoon incident in the space of two years
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
