Bug bounty vendor Bugcrowd to oversee the project
The US Cybersecurity and Infrastructure Security Agency (CISA) has launched its first federal civilian security vulnerability disclosure program (VDP) in partnership with Bugcrowd.
The federal government agency launched the program today (June 8) with government IT contractor Endyna and the bug bounty platform, which will administer the scheme.
Researchers will be asked to test for vulnerabilities in Federal Civilian Executive Branch (FCEB) agencies, which Bugcrowd hopes “will set a new precedent for federal civilian enterprise-wide security”, it announced in a press release.
It will be the first time that US civilian agencies will work with the hacker community to secure their networks. Endyna will provide a software-as-a-service (SaaS) platform for the program.
The press release reads: “In addition to the CISA-funded VDP platform service, FCEB agencies can also accelerate digital transformation strategies and implement their own bug bounty programs from Bugcrowd and Endyna, enabling them to ensure that security assessments become part of their software development lifecycle (SDLC), also commonly called [known] as ‘Shifting Left’.”
Covering a ‘distributed attack surface’
Ashish Gupta, CEO at Bugcrowd, told The Daily Swig that the partnership with CISA was the result of the Binding Operational Directive 20-01, which requires all federal agencies to create a vulnerability disclosure policy.
The agency put out a request for proposals, Gupta said, and chose Bugcrowd to provide operational management of the resulting program.
Gupta added: “Technology has become more distributed, and the attack surface has expanded as a result.
“Just like enterprises, government agencies need to embrace a layered approach to better secure their digitally connected assets.
“We are excited to be able to offer Federal Civilian Executive Branch (FCEB) agencies a proven crowdsourced cybersecurity platform that allows them to leverage the wealth of information from ethical researchers to identify vulnerabilities and better protect critical government systems and public data.”
YOU MAY ALSO LIKE GitHub changes policy to welcome security researchers