CISA launches platform to allow hackers to report flaws in federal tech

Agencies will use the shared service to receive security feedback from white-hat hackers around the world.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure platform (VDP) that will allow federal agencies to identify cybersecurity flaws with the help of ethical hackers.

The platform will be available to all civilian agencies overseen by CISA, and is intended to allow government departments to take advantage of the skills of civilian cybersecurity experts, often known as white-hat hackers.

In the private sector, white-hat hackers use their skills to identify and report weaknesses in companies’ cyber defenses.

The launch of the platform is designed to help agencies comply with a directive, which was published by CISA in September last year, requiring that agencies develop a procedure for reporting cybersecurity flaws and to clarify what types of security testing are allowed.


Under the directive, agencies must also provide a system for the anonymous reporting of weaknesses and commit to not pursing legal action against security research conducted in good faith.

CISA did not comment on which agencies would join the VDP first, or the timeline for onboarding.

The platform is being administered by private contractors Bugcrowd and EnDyna, through CISA’s Quality Service Management Office (QSMO).

Speaking to FedScoop, Bugcrowd CEO Ashish Gupta said the platform would allow government departments to speed up the sharing of information about a high number of vulnerabilities.

According to Gupta, in a similar program working with a large financial institution, Bugcrowd was able to identify a vulnerability that affected more than 250 domains and over 5,000 URLs.


CISA’s executive assistant director for cybersecurity, Eric Goldstein, said: “A key component of any organization’s cybersecurity program should be a transparent and clear way for security researchers to report vulnerabilities, which is why CISA issued a directive last year to require federal civilian executive branch agencies to implement a vulnerability disclosure policy.

“As we work to raise the baseline of cybersecurity across the executive branch, CISA will continue to work with federal agencies to ensure they have the support they need to strengthen their cybersecurity operations, including by quickly identifying and mitigating vulnerabilities,” added Goldstein.

CISA initially awarded Bugcrowd and EnDyna the platform contract in September, however, a series of protests delayed its first of three initial shared services being offered by its QSMO until now.

The use of VDPs could even become widespread for federal contractors should California Democratic Rep. Ted Lieu‘s Improving Contractor Cybersecurity Act, introduced on June 1, become law.

The SolarWinds hack, discovered to have compromised at least nine federal agencies in December, prompted President Biden‘s cybersecurity executive order pushing new investments in zero-trust security architectures.


More recently the Supreme Court narrowed the scope of the Computer Fraud and Abuse Act, in part, to protect well-intentioned, white-hat hackers from being unfairly prosecuted for investigating vulnerabilities.

Latest Podcasts