CISA’s platform receives 2,400 unique vulnerability disclosures, researchers paid $335K


During its two years of operation, the Vulnerability Disclosure Policy (VDP) Platform, operated by the Cybersecurity and Infrastructure Security Agency (CISA), onboarded 51 agency programs and received over 12,000 submissions for vulnerabilities.

The platform helped to identify over 2,400 unique, valid vulnerability disclosures in 2022 and 2023. Nearly 2,000 of them have been remediated by agencies, according to the new report.

Over 3,200 security researchers have participated in the program, and CISA highlighted the most productive ones. ‘Frostb1te’ filed the most valid submissions (104), while the top researcher for the most critical and severe findings was ‘mouka,’ with 51 valid findings. In total, 307 critical and severe vulnerabilities were identified last year.

ADVERTISEMENT

Two federal agencies participate in bug bounties using the VDP platform. The total bug bounty payouts for 229 vulnerabilities detected were $335,000 in 2023, or an average of $1,463 per bug.

CISA notes that while bug bounties require funding allocations, a bounty payment is a fraction of the cost incurred by a breach and “serves as a major incentive in attracting an elite group of vetted security researchers with experience in finding critical and severe vulnerabilities.”

“The VDP Platform offers agencies significant cost and time savings,’ CISA said.

“Across these agencies, an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities have been saved. The potential damage caused by any of the vulnerabilities identified, particularly those categorized as critical or severe, could be widespread and catastrophic.”

The most populous vulnerability class is cross-site scripting (XSS), with 371 valid vulnerabilities. These vulnerabilities could potentially enable attackers to compromise accounts and cause reputational damage and legal consequences.

cisa-vulnerabilities

The VDP platform saw a 132% increase in total submissions last year. CISA estimates that the platform members receive 90% of all submissions to the federal civilian executive branch (FCEB) agencies.

ADVERTISEMENT