- Vulnerable U
- Posts
- More People Than Ever Are Trying to Hack the U.S. Government--And They Love It
More People Than Ever Are Trying to Hack the U.S. Government--And They Love It
The vulnerability disclosure policy (VDP) platform that the Cybersecurity and Infrastructure Security Agency (CISA) deployed in 2021 for federal civilian agencies received more than 1,000 valid bug disclosures last year, nearly half of which were either severe or critical, nearly twice as many as in 2022. The volume of remediated bugs went up 78% last year, as well.
Why It Matters: The federal government has lagged slightly behind the private sector in deploying VDPs and implementing a common method for researchers to work with agencies to disclose vulnerabilities. The increase in submissions, valid reports, and remediated bugs shows that researchers are finding value in the platform and that federal agencies are taking the effort seriously.
Key Details:
There are now 51 federal agencies using CISA’s VDP Platform in only its second full year of operation, with 11 new agencies on-boarded in 2023
There was a 130% increase in critical vulnerabilities identified in 2023 and 132% increase in total submissions
The top five vulnerability classes identified in federal networks in 2023 were XSS, server side injection, sensitive data exposure, server security misconfiguration, and broken access control
More than 3,200 individual researchers have submitted reports through the VDP Platform since its launch
VDPs have become de rigueur in the private sector, especially in the technology industry, but the federal government has taken a bit longer to adopt them, as you might expect. But since CISA rolled out its platform in 2021, that has changed quickly and the research community has warmed up to the idea of hacking the government (with permission).
“The researchers are very engaging. They want to help us find bugs … and are very excited to engage with us,” the NASA VDP program manager said.
What’s Next: As more agencies come on board and more researchers participate in the program, CISA’s VDP Platform will continue to see an increase in submissions and remediated bugs, which is the whole idea.
Further Reading: