Last fall, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) announced a binding operational directive (BOD) requiring the Federal government to develop and publish vulnerability disclosure policies (VDP). CISA announced today it has chosen vendors for its VDP platform.
CISA will utilize vendors Bugcrowd, a crowdsourced cybersecurity firm, and Endyna, a tech-based government contractor, to help build and maintain the VDP platform.
“CISA will offer this VDP platform service to Federal Civilian Executive Branch (FCEB) agencies which will set a new precedent for Federal civilian enterprise-wide security,” a release says. “FCEB agencies will now be able to coordinate with the civilian hacker community. The VDP platform enables agencies to identify and monitor vulnerabilities in critical systems, by receiving security feedback from uniquely skilled ethical hackers around the world.”
The BOD 20-01 will require all Federal agencies and departments, as well as the White House and the rest of the executive branch, to help develop a VDP. The platform will allow those entities to implement their own “bug bounty” programs for ethical hackers to look for vulnerabilities.
The two vendors partnered in the one-year contract award to provide a software-as-a-service component to the platform. The award also includes four option years. The contract was awarded through CISA’s Quality Services Management Office.