{"id":829,"date":"2024-11-12T06:00:00","date_gmt":"2024-11-12T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=829"},"modified":"2024-11-12T06:00:00","modified_gmt":"2024-11-12T06:00:00","slug":"cisas-vdp-is-going-gangbusters-but-could-still-be-improved","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=829","title":{"rendered":"CISA\u2019s VDP is going gangbusters but could still be improved"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISA\u2019s vulnerability disclosure policy (VDP) platform grew to encompass 51 US government agencies and 12,000 bug reports in its first two years. Experts say increased <a href=\"https:\/\/www.csoonline.com\/article\/657751\/top-bug-bounty-programs.html\">bug bounties<\/a>, the consolidation of other agencies\u2019 vulnerability disclosure efforts, and fixing CVE ecosystem weaknesses are among the steps that could give it further strength.<\/p>\n<p>On September 30, the Cybersecurity and Infrastructure Security Agency issued a second annual <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-09\/Vulnerability%20Disclosure%20Policy%20%28VDP%29%20Platform%202023%20Annual%20Report.pdf\">report<\/a> on its Vulnerability Disclosure Policy (VDP) platform, revealing that it had saved an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities across the US federal government.<\/p>\n<p>CISA said that since its launch in 2021, the VDP platform had triaged over 12,000 submissions (more than 7,000 in 2023) on behalf of 51 onboarded agency programs and had identified over 2,400 unique, valid vulnerability disclosures, of which federal agencies remediated 2,000. Since 2021, over 3,200 security researchers have participated in federal civilian executive branch VDPs via the VDP Platform.<\/p>\n<p>Ilona Cohen, chief legal officer, chief policy officer, and corporate secretary at HackerOne says the White House Office of Management Budget <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2020\/09\/M-20-32.pdf\">has assessed<\/a> VDPs as \u201camong the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.\u201d She gives high marks to CISA\u2019s VDP.<\/p>\n<p>\u201cCISA\u2019s VDP requirement for civilian agencies has fostered adoption of this best practice across the US government,\u201d Cohen says. \u201cCISA also provides resources to interested agencies that promote a streamlined approach to manage vulnerabilities, helping to ensure that vulnerabilities are received and managed rather than left unaddressed and at risk of exploitation by bad actors.\u201d<\/p>\n<h2 class=\"wp-block-heading\">What is CISA\u2019s VDP, and what does it do?<\/h2>\n<p>A VDP is a publicly available set of guidelines for third parties, often experienced security researchers, to\u00a0<a href=\"https:\/\/www.hackerone.com\/vulnerability-disclosure\/what-vulnerability-disclosure-program-and-do-you-need-one\">report vulnerabilities<\/a>\u00a0so that software providers\u2019 security teams can quickly assess and remediate them. VDPs are sometimes established along with bug bounty programs\u00a0that pay researchers for the vulnerabilities they discover.<\/p>\n<p>CISA\u2019s VDP platform, which became operational in 2021, is <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-05\/Final%20approved%20CSSO-VDP%20Platform-FAQ-Final.pdf\">a centrally managed software-as-a-service (SaaS) system<\/a> that collects vulnerability information from and enables collaboration with the security researcher community to improve agency cybersecurity. It was established under two binding operational directives (BODs), <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/bod-20-01-develop-and-publish-vulnerability-disclosure-policy\">BOD 20-01<\/a> and <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities\">BOD 22-01<\/a>. Bugcrowd and EnDyna are <a href=\"https:\/\/bugcrowd.com\/engagements\/featured\/cisa\">the platform vendors<\/a> for CISA\u2019s VDP platform.<\/p>\n<p>The platform provides several benefits to government agencies, including, among other things, base-level validation of the submitted information, metrics that satisfy reporting requirements under the BODs, compliance measurements, and <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-07\/VDP%20Platform%20Bug%20Bounty%20Fact%20Sheet%20-%20July%202024.pdf\">bug bounty support<\/a>. According to the most recent annual report, CISA paid out $335,000 in bounties across 2,400 vulnerabilities in 2023 among its 51 onboarded agency programs. <\/p>\n<p>\u201cSo having a vulnerability disclosure program is critical to having secure software,\u201d Chris Wysopal, Chief Security Evangelist at Veracode, tells CSO. \u201cCISA agrees with this, and CISA basically in their secure by design documentation says, \u2018you should do this.\u2019 If you\u2019re going to develop secure software, this is one of the things you do. It\u2019s pretty universally accepted that you need to do this.\u201d<\/p>\n<p>Threat researchers think every sizeable organization, including the US government, should have a VDP program. \u201cOn the surface, [CISA\u2019s program is] very good,\u201d Dustin Childs, head of threat awareness in the Zero Day Initiative at Trend Micro, tells CSO. \u201cEvery enterprise, especially any large enterprise like the US government, should have some vulnerability disclosure platform.\u201d<\/p>\n<p>Grant Bourzikas, Cloudflare\u2019s CSO, also views CISA\u2019s VDP positively. \u201cProcesses and guidance like CISA\u2019s VDP are a step toward decreasing risks and proactively driving change,\u201d he tells CSO. \u201cAccess to a cohesive platform that makes strides towards receiving, triaging, and routing publicly disclosed vulnerabilities will help security teams with prioritization and visibility and move the needle further towards proactive measures.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Multiple government VDP programs foster confusion<\/h2>\n<p>Although CISA\u2019s VDP might have the broadest reach in terms of a number of government agencies, other major arms of the US government, including the <a href=\"https:\/\/www.dc3.mil\/Missions\/Vulnerability-Disclosure\/Vulnerability-Disclosure-Program-VDP\/#:~:text=The%20mission%20of%20the%20DoD,cybersecurity%20researchers%20supporting%20the%20DoDIN.&amp;text=This%20improves%20network%20defenses%20and,the%20United%20States%20of%20America.\">US Department of Defense<\/a>, <a href=\"https:\/\/www.commerce.gov\/vulnerability-disclosure-policy#:~:text=The%20United%20States%20(U.S.)%20Department,public%20disclosure%20of%20submitted%20vulnerabilities.\">Department of Commerce<\/a>, <a href=\"https:\/\/www.ed.gov\/about\/ed-overview\/required-notices\/vulnerability-disclosure-policy#:~:text=submitting%20a%20report.-,Scope,the%20scope%20of%20the%20VDP.\">Department of Education<\/a>, <a href=\"https:\/\/www.state.gov\/vulnerability-disclosure-policy\/\">State Department<\/a>, and <a href=\"https:\/\/www.justice.gov\/jmd\/vulnerability-disclosure-policy\">Justice Department<\/a>, have their own separate VDP programs. HackerOne provides the underlying technology for many of these non-CISA VDP platforms.<\/p>\n<p>These other VDP programs likely predate CISA\u2019s effort and remain in place for various reasons, including inertia. \u201cIt reminds me of the problem of shadow IT where you just have agencies standing up things,\u201d ZDI\u2019s Childs says. \u201cEveryone wants a bug bounty program. They think it\u2019s the shiny new thing. So, you have an agency large enough to create a contract with HackerOne or Bugcrowd, and then suddenly you have that.\u201d<\/p>\n<p>Having so many government VDP programs can create confusion. \u201cIt\u2019s one of those things that CISA is designed to handle,\u201d Childs says. \u201cBut, there\u2019s still some disconnect where you have the State Department and the DOD doing its own. I think for a while the Air Force was doing its own thing. I know the Army was doing its own thing for a while, too. So, there is confusion there as a researcher when you find a\u00a0vulnerability. It\u2019s unclear where specifically you\u2019re supposed to report it.\u201d<\/p>\n<p>\u201cConsolidating those programs would be certainly more efficient. But if you\u2019ve ever dealt with the government, there\u2019s a lot of silos, a lot of territorial stuff that goes on there,\u201d Childs says. \u201cThe bottom line is if it\u2019s working for them, they will be reluctant to change unless mandated. Until CISA has that official mandate to take over the system and then get the budget and manpower and everything else that goes along with that mandate, there will probably remain multiple VDPs for the US government.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Upping bounty payments might strengthen CISA\u2019s VDP<\/h2>\n<p>While CISA gets high marks for its VDP, experts say some steps could strengthen the program further, starting with increasing the payments in its bug bounty program.<\/p>\n<p>CISA\u2019s payout of $335,000 in 2023 \u201cis not a lot,\u201d Veracode\u2019s Wysopal says. \u201cThat\u2019s not a lot because they dealt with 2,000 vulnerabilities. So, we\u2019re looking at what, $150 on average.\u201d<\/p>\n<p>Wysopal adds that he\u2019s not surprised that the bounty payouts are so low. \u201cFor one thing, most federal government agencies don\u2019t pay for bounties. They are very happy to coordinate with you, take your information, and help you understand if it\u2019s getting fixed. But they\u2019re not necessarily paying out.\u201d<\/p>\n<p>\u201cThe more you can pay as an agency to acquire this stuff, the more you\u2019re going to be able to acquire,\u201d Childs says. \u201cThere\u2019s always a balance. You want to incentivize them financially. You want to pay them as much as you can, but there\u2019s a point where you\u2019re overpaying them, and you\u2019re overpaying for bugs.\u201d<\/p>\n<p>The prospect of overpaying is particularly true regarding the mostly low-level bugs for which CISA pays. According to CISA\u2019s most recent VDP report, cross-site scripting vulnerabilities were the number one vulnerability reported on its platform in 2023, with 371 reports, almost double the next most frequent bug, server-side injections, with 178 reports.<\/p>\n<p>\u201cA lot of the bugs in their report were pretty low severity bugs,\u201d Childs says. \u201cThe price of a bug varies depending on its severity. For example, a cross-site scripting bug is simple and easy to remediate and\u00a0detect. It will have a lower price than a remote unauthenticated code execution that doesn\u2019t require user interaction.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Other steps that would bolster CISA\u2019s VDP<\/h2>\n<p>Security researchers point to other measures outside the agency\u2019s control that could help bolster the program. For example, HackerOne\u2019s Cohen thinks addressing the weaknesses in the ecosystem surrounding the CVE (Common Vulnerabilities and Exposures) database might help.<\/p>\n<p>\u201cLike much of our vulnerability management infrastructure, the CVE Program and the National Vulnerability Database (NVD) play important roles in identifying, tracking, and assessing the severity of vulnerabilities,\u201d she says. \u201cHackerOne publishes CVEs as an authorized CVE Numbering Authority (CNA) based on the findings security researchers report on our platform, which, in turn, enables organizations like CISA to disseminate those known vulnerabilities widely.\u201d<\/p>\n<p>However, \u201cThese programs also face technical, administrative, and funding challenges. CISA\u2019s VDP requirement and many other important vulnerability management programs will be strengthened and made more effective if the CVE Program and the NVD have stable funding and effectively modernize,\u201d Cohen says. \u201cWe also support the enactment of the <a href=\"https:\/\/www.warner.senate.gov\/public\/index.cfm\/2024\/8\/warner-lankford-announce-legislation-to-strengthen-federal-cybersecurity-measures-implement-mandatory-vulnerability-disclosure-policies\">Federal Cybersecurity Vulnerability Reduction Act<\/a>, which would build on the work done by federal agencies and require federal contractors and subcontractors to implement a Vulnerability Disclosure Policy.\u201d<\/p>\n<p>Another measure that would indirectly boost the value of CISA\u2019s VDP is ensuring that the federal agencies receiving the vulnerability reports are prepared to follow up on them. \u201cYou need to have a certain amount of expertise, not just to triage them, because you can hire one of these bug bounty companies to do the triage, but you have to do the fixing,\u201d Wysopal says. \u201cYou need to have people that know how to fix these flaws. You have to earmark time and energy to fix these flaws.\u201d<\/p>\n<p>\u201cPatching requires time, money, and efficient tools, which are often limited for smaller organizations,\u201d says Cloudflare\u2019s Bourzikas. \u201cMany organizations still lack a complete view of all the software in their environments, making it impossible even to understand if they are vulnerable and assessing impact so prioritization can occur.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISA\u2019s vulnerability disclosure policy (VDP) platform grew to encompass 51 US government agencies and 12,000 bug reports in its first two years. Experts say increased bug bounties, the consolidation of other agencies\u2019 vulnerability disclosure efforts, and fixing CVE ecosystem weaknesses are among the steps that could give it further strength. On September 30, the Cybersecurity [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":822,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-829","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/829"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=829"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/829\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/822"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}