CISA taps Bugcrowd for federal vulnerability disclosure program

The U.S. Cybersecurity and Infrastructure Security Agency has opened a first of its kind vulnerability disclosure program.

The new program, launched with Bugcrowd and Endyna, will see the Department of Homeland Security's cybersecurity branch partner with the two infosec companies to make it easier for hackers to find and report potential security issues in public-facing government sites and portals. The program stems from the Cybersecurity and Infrastructure Security Agency's (CISA) binding operational directive from September that tasked most executive branch agencies with creating a vulnerability disclosure policy (VDP), which can include both public and private bug bounties.

Under the newly launched program, researchers will be able to report potential security flaws to the government and receive compensation. The program, which covers all agencies falling under the Federal Civilian Executive Branch (FCEB) umbrella, will be hosted on Bugcrowd's crowdsourced security platform, with Endyna, a government IT contractor, providing a SaaS component for the VDP.

"The need for cyber resilience and risk management is unprecedented in today's digitally connected world and the partnership between CISA and Bugcrowd provides the most powerful crowdsourced cybersecurity platform solution to address the government's growing need for contextually intelligent security assessments to protect its vast attack surface," Bugcrowd CEO Ashish Gupta said.

"We are honored to be the first crowdsourced cybersecurity vendor to work with CISA on an FCEB-wide proactive defense strategy through our VDP solution," he said.

While establishing vulnerability disclosure and bug bounty programs has widely been seen as something most software vendors, as well as the U.S. government, should strive for in the long term, it has become a necessity lately as exploitation of zero-day flaws and existing vulnerabilities have led to several high-profile breaches and cyberattacks.

In order to fully assess and remediate vulnerabilities, organizations are advised not to dive headfirst into public bug bounties, which can lead to high volumes of reported flaws. Rather, experts like Bugcrowd said firms should work their way up to bug bounty status.

This means first hardening your network by running extensive tests both with in-house staff and external penetration testing providers. In a recent interview with SearchSecurity, Bugcrowd founder and CTO Casey Ellis noted that firms need to start small with VDPs.

From there, many organizations start with private VDPs where critical security issues can be reported and verified confidentially. Even then, it is advised that companies and government organizations think long and hard before opening themselves up to public bug bounty systems.

In this case, the hope is that once the U.S. government has established the basics, CISA can then open the doors on a public bug bounty. Gupta said organizations that build up vulnerability disclosure programs over time recognize the value of crowdsourced security research.

"Our customers have told us they are not going back," he said.