Cybersecurity
DHS, GSA propose centralized vulnerability disclosure platform
By Derek B. Johnson
Jan 02, 2020
The Department of Homeland Security and the General Services Administration want to know what it would take to develop a cloud-based centralized vulnerability disclosure platform for the federal government.
In a request for information released late December, the agencies asked industry for feedback on how to set up a system that could serve as a primary point of entry for security researchers warning about bugs in their internet-accessible systems.
While the platform would be managed by the Cybersecurity and Infrastructure Security Agency at DHS, agencies might have to kick in some of their own funding and participation would be voluntary. CISA is looking at a centralized software-as-a-service platform that can track incoming submissions, validate each report for legitimate bugs while filtering out errant ones, enable web-based communication between the reporter and agency during remediation efforts and allow agencies to create separate role-based accounts for their main organization and component agencies.
While federal civilian and military systems are often riddled with bugs, the document points out that the system could be beneficial to many agencies that will likely be starting vulnerability disclosure management from scratch.
"Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems," the RFI notes. "Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized."
Support the originator by clicking the read the rest link below.
