This is a chance for you to improve the cybersecurity posture of the United States government.
The Cybersecurity and Infrastructure Security Agency (CISA) is asking for your help to shape a new proposal.
CISA will soon establish a Vulnerability Disclosure Program (VDP) for civilian agencies of the federal government, and it is requesting insights you and your organization have from standing up or operating a VDP.
The philosophy behind the new Vulnerability Disclosure Program
Jeanette Manfra, CISA's Assistant Director for Cybersecurity, paints a clear picture of where the agency is coming from:
"At CISA, we work to do good things. Some are easy, like eating pineapple on pizza. Some are hard, like managing risks in 5G. Yet we know that if it's hard to do good things, most people won’t do them—and reporting a vulnerability on a government system shouldn't be so hard.
A VDP allows people who have 'seen something' to 'say something' to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems."
7 things the Vulnerability Disclosure Program (VDP) will do
The agency also shared a list of seven things the proposed Vulnerability Disclosure Program would do.
And if you're planning a VDP for your organization, this certainly seems like a good punch-list to work from:
- Lights a fire. Each agency must publish a VDP and maintain handling procedures, and the directive outlines a set of required elements for both.
- Draws a line in the sand. Systems "born" after publication of a VDP must be included in the scope of an agency's VDP.
- Expands the circle. Until everything is included, at least one new system or service must be added every 90 days to the scope of an agency's VDP.
- Starts the clock. There's an upper bound—2 years from issuance, in this draft—for when all internet-accessible systems must be in scope.
- All are welcome. Anyone that finds a problem must be able to report it to an agency.
- No "catch and keep." An agency may only request a reasonably time-limited restriction against outside disclosure to comply with their VDP.
- Defense, not offense. Submissions are for defensive purposes.
There are also a couple of things this proposal is not.
This is not a bug bounty program—although agencies are not prevented from incorporating bounties if they'd like to do so.
Also, this is not a National VDP, according to CISA.
"Instead, the directive supports a phased approach to widening scope, allowing each enterprise—comprised of the humans and their organizational tools, norms, and culture—to level up incrementally."
CISA requests insights on Vulnerability Disclosure Program
What would CISA like from the cybersecurity community now?
The agency requests you read the Binding Operational Directive 20-01: Vulnerability Disclosure Program.
CISA's Jeanette Manfra wrote in a blog post that this is a rare opportunity:
"Here, while agencies must maintain VDPs and are the beneficiaries of vulnerability reports, it's the public that will provide those reports and will be the true beneficiaries of vulnerability remediation.
That's why we're doing something we've never done before with our directives: seeking public feedback before issuance.
We want to hear from people with personal or institutional expertise in vulnerability disclosure. We also want to hear from organizations that have a VDP and manage coordinated vulnerability disclosures."
Thank you for sharing your insights and helping to improve the security posture of the United States.