
The U.S. CISA has released its 2023 Annual Report for the Vulnerability Disclosure Policy (VDP) Platform. Over the past year, the agency concentrated on promoting greater adoption of the VDP Platform among agencies, assisting federal civilian executive branch (FCEB) agencies in identifying system vulnerabilities, and collaborating with the public security researcher community.
As part of CISA’s persistent and ongoing collaboration with the public security researcher community, CISA issued Binding Operational Directive (BOD) 20-01 in 2020, which requires every FCEB agency to establish a VDP.
CISA’s VDP Platform complements BOD 20-01 by giving FCEB agencies an easy way to establish a VDP and engage with public security researchers. CISA appreciates the contributions of thousands of public security researchers to date and looks forward to continuing to broaden this collaboration further in the future.
Since its launch in 2021, the VDP Platform has triaged over 12,000 submissions on behalf of 51 onboarded agency programs, saving agencies a significant amount of time and resources, and over 2,400 unique, valid vulnerability disclosures have been identified, of which nearly 2,000 have been remediated by agencies. Since its launch, over 3,200 security researchers have participated in FCEB VDPs via the VDP platform.
The agency reported that the VDP Platform saw continued growth in 2023, attributed to several beneficial interdependent factors. The findings reflect the most common software faults identified in internet-facing systems of agencies participating in the VDP platform.
CISA acknowledged that thousands of security researchers participating in the VDP Platform bring unique skill sets and perspectives to the hunt for vulnerabilities in agency systems.
Through this platform, the agency has set a standard for vulnerability management across the federal government. All FCEB agencies are required to publish a VDP, and through the VDP Platform, CISA plays a critical role in supporting agencies in making their VDPs more effective and efficient.
Through the VDP platform, CISA continues to advance its visibility into vulnerability disclosures and threat trends across the FCEB. With its ability to share that information across communities, the VDP Platform serves as a model for crowdsourced cybersecurity solutions beyond the FCEB.
Organizations in all levels of government and critical infrastructure should consider exploring further the value these solutions offer to enhance their cybersecurity posture.



Nice Post.