Vulnerability as a business: US saves millions on cybersecurity

Carding

Professional
Messages
2,871
Reaction score
2,400
Points
113
The U.S. Federal Government's internal Cybersecurity Vulnerability Center accepted more than 1,300 valid reports in its first 18 months of operation. This saved about $4.35 million in system response and recovery costs, according to the program's first annual report.

The Vulnerability Disclosure Policy (VDP) platform has seen "huge growth" in the short time since its launch in July 2021, including 40 agency programs. The main goal of VDP is to provide an organized way for agencies to obtain vulnerability data from cybersecurity researchers and other sources and distribute it throughout the government. It should be noted that agencies, as a rule, do not provide rewards for direct submissions, but reward participants for detecting errors in competitions.

Vulnerability data is transmitted to the CISA, which collects it for further review and resolution of important security issues. As the report states: "VDP allows agencies to identify and fix vulnerabilities in their software or systems before hackers exploit them. The program also encourages researchers to report vulnerabilities and demonstrates federal agencies commitment to transparency and collaboration with the security research community."

By December 2022, the VDP platform had resolved 1,119 vulnerabilities out of 1,330 verified and verified messages. The remaining problems were "resolved with compensatory measures," said Jim Sheire, head of cybersecurity at CISA.

Among the most frequently reported errors are cross-site scripting (XSS), incorrect configurations, and data leaks due to poorly designed web applications or weak encryption.

This week, lawmakers introduced a bill that would extend the vulnerability disclosure obligation to federal contractors, not just the agencies themselves. For defense matters, the Military Department has separate vulnerability disclosure programs.
 
Top