CISA Vulnerability Disclosure Policy Platform
The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure policy (VDP) platform that supports its Binding Operational Directive 20-01 requiring federal agencies to establish VPDs.
Agencies have until September 2, 2022 to have all internet accessible systems in scope. Policies and contacts had to be published within 180 days, and after 180 days any new internet-accessible systems were automatically in scope. Identification of existing systems in scope was required 270 days from the issuance of BOD 20-01, June 1, 2021, with additional systems required every 90 days until all internet accessible systems are listed as in scope. The challenge is developing procedures to track, coordinate and resolve reported issues, which may impact federal incident reporting activities. The BOD provides references and resources needed to develop a VDP. Before you go testing an agency’s system, check their web site under /vulnerability-disclosure-policy to see what is permitted/in-scope.
Back in 2017 the US Department of Justice put out a solid framework for Vulnerability Disclosure Programs – good to see CISA making standard VDPs a requirement across federal systems. They now provide a template complying with this BOD. One nit: while the BOD does require the policy to be published at a standard URL across government systems, it is *not* an easy to guess URL. I’d like to see requirements that all federal home pages include a visible link to vulnerability reporting information.
Read more in
Bugcrowd: Secure the Government
DHS: Binding Operational Directive 20-01 | Develop and Publish a Vulnerability Disclosure Policy (September 2, 2020)