Review - CISA Announces VDP Platform

Earlier this week CISA announced the establishment of their Vulnerability Disclosure Policy Platform (VDP Platform). According to the announcement: “The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis.”

According to the CISA fact sheet on the VDP Platform, the Platform is being offered as a software-as-a-service program to support individual department and agency VDPs. CISA’s Cyber Quality Services Management Office (QSMO) provides platform oversight, and the Platform is currently operated by BugCrowd. Supported agencies will retain responsibility for vulnerability confirmation and remediation. While the platform is designed to support bug bounty programs, there does not appear to be any agency that is currently sponsoring such a program.

The OMB’s Office of Information and Regulatory Affairs (OIRA) approved an emergency information collection request expansion to cover this VDP Platform back in March. CISA was required to update that ICR by September 30^th, 2021.

For more detailed information, including links to agency VDP sites, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-announces-vdp-platform - subscription required.