The Cybersecurity and Infrastructure Security Agency is interested in acquiring a centralized platform for overseeing federal agencies' attempts to fix vulnerabilities security researchers bring to their attention, and plans to issue a request for proposals this summer.
In November, CISA invited feedback on a draft binding operational directive instructing civilian agencies to publish a policy under which they would receive and resolve vulnerabilities the public security researchers identify. The idea was that do-good hackers, typically afraid of legal liability for exposing weaknesses they spot in code or discouraged by a lack of responsiveness when they do, would feel more inclined to report the vulnerabilities to administrators.
The draft received mixed reviews, with some agency officials expressing concerns about being flooded by frivolous reports and the feasibility of meeting suggested timelines for responding to researchers and addressing the vulnerabilities given the need to wade through these.
According to attachments included in a request for information that CISA, along with the General Services Administration, posted to beta.sam.gov on Tuesday, the cybersecurity agency plans to officially request proposals to address that issue this summer.
An entity with a commercially available software as a service platform would receive all of the security researchers' repo ..
Support the originator by clicking the read the rest link below.
