More than 1,000 federal system flaws fixed via CISA's bug reporting platform

The Cybersecurity and Infrastructure Security Agency says it has a secret weapon that is rapidly improving vulnerability management and compliance reporting across the federal enterprise, according to a new report. 

The report published on Friday assessed the effectiveness of CISA’s Vulnerability Disclosure Policy platform and said it had facilitated the remediation of over 1,000 vulnerabilities since it was first launched by the agency's Cybersecurity Shared Services Office in 2021. The VDP platform has onboarded 40 federal entities and received over 1,300 disclosures — nearly 85% of which have been remediated — in total. 

Jim Sheire, CISA's chief of the Shared Services Office, told Nextgov/FCW that the voluntary platform has created a burgeoning community of federal entities and vendors focused on remediating known vulnerabilities before they can be exploited by cybercriminals.

“This started primarily at CISA looking at how to better partner with and leverage the great work that private researchers are doing, and how we could better harness that,” Sheire said. “It’s led to great outcomes in terms of risk reduction.” 

The platform provides agencies with a streamlined approach to managing their vulnerability disclosure policies, as well as collaborating with other federal entities and the public security researcher community on mitigation strategies for known vulnerabilities. 

Public security researchers can use the platform to easily access agencies' vulnerability disclosure programs and submit reports about known vulnerabilities. Agencies then receive alerts from the platform about valid identifications of vulnerabilities and can leverage the system to coordinate with the researcher and CISA on remediation techniques. 

Sheire said that the platform allows agencies to bolster their overall cybersecurity and enhance remediation efforts at no cost through February 2025 — and added that CISA is aiming to scale up the program over the next two years.

The platform was utilized in various vulnerability remediation initiatives throughout 2022, according to the report, including several bug bounties launched by the Department of Homeland Security. One of those exercises, dubbed "Hack DHS," identified over 235 vulnerabilities, including 40 that were deemed critical. 

It was also used in a separate DHS bug bounty initiative launched in the immediate aftermath of the Log4j vulnerability, the report said.