IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CISA launches security bug reporting program

Now white hat hackers have a way to tell the government about bugs

The Cybersecurity and Infrastructure Security Agency (CISA) plans to launch a crowdsourced bug reporting site serving a range of federal government agencies. The Department of Homeland Security's cyber arm will work with Bugcrowd, a crowdsourced bug reporting site, to launch the project. 

CISA will offer the bug reporting platform to federal government agencies. While it won't be a paid bug bounty program, it'll give security researchers a way to report bugs to government organizations through a system that guarantees a response and ensures officials note all bugs. 

The deal follows the announcement of Binding Operational Directive 20-01 last September, in which CISA laid out plans to create a vulnerability disclosure policy (VDP). It directed agencies to publish a VDP policy on their websites within 180 days, describing what systems it covers and how security researchers can report bugs. It also mandates timelines for acknowledging and dealing with each bug. 

Government technology contractor Endyna will support the reporting platform under a one-year software as a service (SaaS) contract. The arrangement includes an optional extension of up to four years. 

The VDP effort has been brewing for a while. CISA originally published the draft of BDO 20-01 in November 2019, inviting public comment on the issue. The final BDO — and the forthcoming program — will carry forward some of CISA's original suggestions, including the mandatory inclusion of all new computing systems in the scope of an agency's VDP. 

The directive also set out a two-year deadline for including all internet-accessible systems in agency VDPs. 

Related Resource

Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes

How to define effective security awareness and training programmesDownload now

If nothing else, this should reduce the danger of legal threats against white hat hackers trying to report bugs to federal agencies. It mandates that agencies not issue threatening language as part of their VDP or pursue legal action against researchers trying to report bugs in good faith. 

The directive also states CISA won't send any bugs it collects to the Vulnerabilities Equities Process (VEP). VEP is a government initiative that gives intelligence officials the option to store bugs secretly as potential weapons rather than releasing them to the public. 

The Pentagon has taken its own approach to vulnerability reporting by offering paid bug bounty programs, including a new one launched this week.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

NOAA unveils two new supercomputers in effort to better predict extreme weather
high-performance computing (HPC)

NOAA unveils two new supercomputers in effort to better predict extreme weather

29 Jun 2022
Google aims to court US public sector with new division
public sector

Google aims to court US public sector with new division

29 Jun 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022