CISA: Thousands of bugs remediated in second year of vulnerability disclosure program

Avatar

Thousands of vulnerabilities were identified and remediated through a government clearinghouse in 2023, according to a new report from the nation’s top cybersecurity agency. 

The Cybersecurity and Infrastructure Security Agency (CISA) published its second report on the Vulnerability Disclosure Policy (VDP) Platform, which launched in 2021 as an organized way for federal civilian agencies to take in bug discoveries from researchers and resolve them.

CISA said through VDP, it triaged more than 7,000 submissions in 2023 on behalf of 51 federal agencies. 

Image: CISA

With 11 new agency programs onboarding in 2023, the VDP Platform drew heightened researcher attention and engagement, which facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified and vulnerabilities remediated, CISA explained.

In its second full year of operation, they saw a total of 7,058 submissions, 1,094 valid disclosures and 872 remediated vulnerabilities. The number of critical vulnerabilities identified also increased to 250 in 2023.

“The VDP Platform offers agencies significant cost and time savings. While VDPs are a critical component of an agency’s vulnerability management process, implementation and management come with associated costs for agencies,” CISA said. 

“Handling disclosed vulnerabilities, triaging reports, corresponding with security researchers, and collecting and reporting required metrics are all labor-intensive steps that draw agency resources away from prioritizing valid vulnerability submissions and coordinating remediation activities.” 

Federal agencies typically have large attack surfaces and protect vast amounts of sensitive data but lack the resources to adequately protect themselves. VDP allows CISA to mitigate some of this risk, providing an extra layer of protection for agencies delivering public services. 

CISA said agencies that participate in VDP are able to save an average of about $4.45 million in potential remediation costs and are able to validate submissions two days faster than agencies that do not participate. CISA is also using VDP to gain better insight into vulnerability disclosures and threat trends across federal agencies.

Image: CISA

CybercrimeGovernmentIndustryLeadershipNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Next Post

Community Clinic of Maui says 123,000 affected by May cyberattack

Related Posts

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro. Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include - Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million
Avatar
Read More