CISA: Thousands of bugs remediated in second year of vulnerability disclosure program

Date: unknown

Location: therecord.media

Thousands of vulnerabilities were identified and remediated through a government clearinghouse in 2023, according to a new report from the nation’s top cybersecurity agency. 

The Cybersecurity and Infrastructure Security Agency (CISA) published its second report on the Vulnerability Disclosure Policy (VDP) Platform, which launched in 2021 as an organized way for federal civilian agencies to take in bug discoveries from researchers and resolve them.

CISA said through VDP, it triaged more than 7,000 submissions in 2023 on behalf of 51 federal agencies. 

Image: CISA

With 11 new agency programs onboarding in 2023, the VDP Platform drew heightened researcher attention and engagement, which facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified and vulnerabilities remediated, CISA explained.

In its second full year of operation, they saw a total of 7,058 submissions, 1,094 valid disclosures and 872 remediated vulnerabilities. The number of critical vulnerabilities identified also increased to 250 in 2023.

“The VDP Platform offers agencies significant cost and time savings. While VDPs are a critical component of an agency’s vulnerability management process, implementation and management come with associated costs for agencies,” CISA said. 

“Handling disclosed vulnerabilities, triaging reports, corresponding with security researchers, and collecting and reporting required metrics are all labor-intensive steps that draw agency resources away from prioritizing valid vulnerability submissions and coordinating remediation activities.” 

Federal agencies typically have large attack surfaces and protect vast amounts of sensitive data but lack the resources to adequately protect themselves. VDP allows CISA to mitigate some of this risk, providing an extra layer of protection for agencies delivering public services. 

CISA said agencies that participate in VDP are able to save an average of about $4.45 million in potential remediation costs and are able to validate submissions two days faster than agencies that do not participate. CISA is also using VDP to gain better insight into vulnerability disclosures and threat trends across federal agencies.

Image: CISA

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.