CISA’s VDP is going gangbusters but could still be improved – Source: www.csoonline.com

CISA’s vulnerability disclosure policy (VDP) platform grew to encompass 51 US government agencies and 12,000 bug reports in its first two years. Experts say increased bug bounties, the consolidation of other agencies’ vulnerability disclosure efforts, and fixing CVE ecosystem weaknesses are among the steps that could give it further strength.

On September 30, the Cybersecurity and Infrastructure Security Agency issued a second annual report on its Vulnerability Disclosure Policy (VDP) platform, revealing that it had saved an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities across the US federal government.

CISA said that since its launch in 2021, the VDP platform had triaged over 12,000 submissions (more than 7,000 in 2023) on behalf of 51 onboarded agency programs and had identified over 2,400 unique, valid vulnerability disclosures, of which federal agencies remediated 2,000. Since 2021, over 3,200 security researchers have participated in federal civilian executive branch VDPs via the VDP Platform.

Ilona Cohen, chief legal officer, chief policy officer, and corporate secretary at HackerOne says the White House Office of Management Budget has assessed VDPs as “among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.” She gives high marks to CISA’s VDP.

“CISA’s VDP requirement for civilian agencies has fostered adoption of this best practice across the US government,” Cohen says. “CISA also provides resources to interested agencies that promote a streamlined approach to manage vulnerabilities, helping to ensure that vulnerabilities are received and managed rather than left unaddressed and at risk of exploitation by bad actors.”

What is CISA’s VDP, and what does it do?

A VDP is a public place for third parties, often experienced security researchers, to report vulnerabilities so that software providers’ security teams can quickly assess and remediate them. VDPs are sometimes established along with bug bounty programs that pay researchers for the vulnerabilities they discover.

CISA’s VDP platform, which became operational in 2021, is a centrally managed software-as-a-service (SaaS) system that collects vulnerability information from and enables collaboration with the security researcher community to improve agency cybersecurity. It was established under two binding operational directives (BODs), BOD 20-01 and BOD 22-01. Bugcrowd and EnDyna are the platform vendors for CISA’s VDP platform.

The platform provides several benefits to government agencies, including, among other things, base-level validation of the submitted information, metrics that satisfy reporting requirements under the BODs, compliance measurements, and bug bounty support. According to the most recent annual report, CISA paid out $335,000 in bounties across 2,400 vulnerabilities in 2023 among its 51 onboarded agency programs.

“So having a vulnerability disclosure program is critical to having secure software,” Chris Wysopal, CTO of Veracode, tells CSO. “CISA agrees with this, and CISA basically in their secure by design documentation says, ‘you should do this.’ If you’re going to develop secure software, this is one of the things you do. It’s pretty universally accepted that you need to do this.”

Threat researchers think every sizeable organization, including the US government, should have a VDP program. “On the surface, [CISA’s program is] very good,” Dustin Childs, head of threat awareness in the Zero Day Initiative at Trend Micro, tells CSO. “Every enterprise, especially any large enterprise like the US government, should have some vulnerability disclosure platform.”

Grant Bourzikas, Cloudflare’s CSO, also views CISA’s VDP positively. “Processes and guidance like CISA’s VDP are a step toward decreasing risks and proactively driving change,” he tells CSO. “Access to a cohesive platform that makes strides towards receiving, triaging, and routing publicly disclosed vulnerabilities will help security teams with prioritization and visibility and move the needle further towards proactive measures.”

Multiple government VDP programs foster confusion

Although CISA’s VDP might have the broadest reach in terms of a number of government agencies, other major arms of the US government, including the US Department of Defense, Department of Commerce, Department of Education, State Department, and Justice Department, have their own separate VDP programs. HackerOne provides the underlying technology for many of these non-CISA VDP platforms.

These other VDP programs likely predate CISA’s effort and remain in place for various reasons, including inertia. “It reminds me of the problem of shadow IT where you just have agencies standing up things,” ZDI’s Childs says. “Everyone wants a bug bounty program. They think it’s the shiny new thing. So, you have an agency large enough to create a contract with HackerOne or Bugcrowd, and then suddenly you have that.”

Having so many government VDP programs can create confusion. “It’s one of those things that CISA is designed to handle,” Childs says. “But, there’s still some disconnect where you have the State Department and the DOD doing its own. I think for a while the Air Force was doing its own thing. I know the Army was doing its own thing for a while, too. So, there is confusion there as a researcher when you find a vulnerability. It’s unclear where specifically you’re supposed to report it.”

“Consolidating those programs would be certainly more efficient. But if you’ve ever dealt with the government, there’s a lot of silos, a lot of territorial stuff that goes on there,” Childs says. “The bottom line is if it’s working for them, they will be reluctant to change unless mandated. Until CISA has that official mandate to take over the system and then get the budget and manpower and everything else that goes along with that mandate, there will probably remain multiple VDPs for the US government.”

Upping bounty payments might strengthen CISA’s VDP

While CISA gets high marks for its VDP, experts say some steps could strengthen the program further, starting with increasing the payments in its bug bounty program.

CISA’s payout of $335,000 in 2023 “is not a lot,” Veracode’s Wysopal says. “That’s not a lot because they dealt with 2,000 vulnerabilities. So, we’re looking at what, $150 on average.”

Wysopal adds that he’s not surprised that the bounty payouts are so low. “For one thing, most federal government agencies don’t pay for bounties. They are very happy to coordinate with you, take your information, and help you understand if it’s getting fixed. But they’re not necessarily paying out.”

“The more you can pay as an agency to acquire this stuff, the more you’re going to be able to acquire,” Childs says. “There’s always a balance. You want to incentivize them financially. You want to pay them as much as you can, but there’s a point where you’re overpaying them, and you’re overpaying for bugs.”

The prospect of overpaying is particularly true regarding the mostly low-level bugs for which CISA pays. According to CISA’s most recent VDP report, cross-site scripting vulnerabilities were the number one vulnerability reported on its platform in 2023, with 371 reports, almost double the next most frequent bug, server-side injections, with 178 reports.

“A lot of the bugs in their report were pretty low severity bugs,” Childs says. “The price of a bug varies depending on its severity. For example, a cross-site scripting bug is simple and easy to remediate and detect. It will have a lower price than a remote unauthenticated code execution that doesn’t require user interaction.”

Other steps that would bolster CISA’s VDP

Security researchers point to other measures outside the agency’s control that could help bolster the program. For example, HackerOne’s Cohen thinks addressing the weaknesses in the ecosystem surrounding the CVE (Common Vulnerabilities and Exposures) database might help.

“Like much of our vulnerability management infrastructure, the CVE Program and the National Vulnerability Database (NVD) play important roles in identifying, tracking, and assessing the severity of vulnerabilities,” she says. “HackerOne publishes CVEs as an authorized CVE Numbering Authority (CNA) based on the findings security researchers report on our platform, which, in turn, enables organizations like CISA to disseminate those known vulnerabilities widely.”

However, “These programs also face technical, administrative, and funding challenges. CISA’s VDP requirement and many other important vulnerability management programs will be strengthened and made more effective if the CVE Program and the NVD have stable funding and effectively modernize,” Cohen says. “We also support the enactment of the Federal Cybersecurity Vulnerability Reduction Act, which would build on the work done by federal agencies and require federal contractors and subcontractors to implement a Vulnerability Disclosure Policy.”

Another measure that would indirectly boost the value of CISA’s VDP is ensuring that the federal agencies receiving the vulnerability reports are prepared to follow up on them. “You need to have a certain amount of expertise, not just to triage them, because you can hire one of these bug bounty companies to do the triage, but you have to do the fixing,” Wysopal says. “You need to have people that know how to fix these flaws. You have to earmark time and energy to fix these flaws.”

“Patching requires time, money, and efficient tools, which are often limited for smaller organizations,” says Cloudflare’s Bourzikas. “Many organizations still lack a complete view of all the software in their environments, making it impossible even to understand if they are vulnerable and assessing impact so prioritization can occur.”