US Saves Millions on Cybersecurity with Vulnerability-as-Business Approach

The US Federal Government’s internal center for cybersecurity vulnerabilities has successfully implemented more than 1,300 real reports in the first 18 months of its operation, resulting in cost savings of approximately $4.35 million for response and system restoration, according to the inaugural Annual Report of the Vulnerabilities Disclosure Policy (VDP) program. The report can be found [here](https://www.cisa.gov/news-events/vdp-platform-2022–real-showcases-platforms-success).

The VDP, launched in July 2021, has witnessed significant growth, with 40 agency programs now in operation. The primary aim of the VDP is to establish an organized approach for agencies to receive vulnerability data from cybersecurity researchers and other sources, and subsequently disseminate this information throughout the government. It is worth noting that agencies typically do not provide direct compensation for these contributions, but participants may be rewarded for uncovering vulnerabilities through competitions.

The collected data on vulnerabilities is transmitted to the Cybersecurity and Infrastructure Security Agency (CISA), which carefully examines and addresses significant security issues. As stated in the report, “VDP enables agencies to identify and remediate vulnerabilities in their software or systems before they can be exploited by hackers. The program also incentivizes researchers to seek out vulnerabilities and showcases the federal agencies’ commitment to transparency and cooperation with the security research community.”

By December 2022, the VDP platform successfully resolved 1,119 out of 1,330 reported vulnerabilities. The remaining issues were addressed through compensatory measures, as noted by Jim Sheire, the head of CISA’s cybersecurity department.

Some of the most frequently reported errors include intersite scripting (XSS), misconfigurations, and data leaks resulting from poorly designed web applications or weak encryption.

Recently, legislators introduced a bill that extends the requirement for vulnerability disclosure to federal contractors, in addition to government agencies. It is important to highlight that the Department of Defense already has its own vulnerabilities disclosure programs in place.

/Reports, release notes, official announcements.