Summary: In 2023, federal civilian agencies addressed over 7,000 vulnerabilities through the Vulnerability Disclosure Policy Platform, with a significant increase in both identified and remediated vulnerabilities compared to the previous year. The program, initiated by CISA, aims to enhance cybersecurity by facilitating the reporting and resolution of software defects by public and private sector researchers.
Threat Actor: Cybersecurity Researchers | cybersecurity researchers
Victim: Federal Civilian Agencies | federal civilian agencies
Key Point :
- Federal agencies remediated 872 vulnerabilities in 2023, a 78% increase from 2022.
- The VDP Platform identified 250 critical vulnerabilities, marking a 130% rise from the previous year.
- Participation in the VDP Platform grew, with 51 federal agencies and over 3,200 public security researchers involved.
- Participating agencies validated submissions two days faster than non-participants, improving response times.
- Agencies saved an estimated average of $4.45 million in potential remediation costs for critical vulnerabilities.
- The top five vulnerability classes included cross-site scripting and server-side injection.
Dive Brief:
- Federal civilian agencies triaged more than 7,000 vulnerabilities submitted to the Vulnerability Disclosure Policy Platform in 2023, the Cybersecurity and Infrastructure Security Agency said Monday in an annual report on the program.
- Federal agencies remediated 872 vulnerabilities last year, a 78% increase from 2022, CISA said in the report. The federal government determined 15% of the vulnerabilities submitted to the VDP Platform last year were valid.
- The program consistently sorts through an increase in critical vulnerabilities. The VDP Platform identified 250 critical vulnerabilities in 2023, a 130% jump from 2022.
Dive Insight:
The increase in vulnerabilities identified by the VDP Platform is partly due to growing participation across the public and private sectors.
CISA established the federal government’s vulnerability management program in 2021 to help federal civilian agencies field software defect discoveries from researchers and remediate them.
The program ended 2023 with support from 51 federal agencies and 3,246 public security researchers, of which more than 1,700 joined last year.
“As additional agencies continue to onboard to the VDP Platform, the number of vulnerabilities identified and remediated will continue to increase, leading to a more secure federal environment,” CISA said in its annual report.
Participating agencies validated vulnerability submissions two days faster than non-participating agencies, on average. Agencies involved in the VDP Platform last year saved an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities, CISA said.
The top five classes of vulnerabilities identified through the VDP Platform in 2023 include: cross-site scripting, server-side injection, sensitive data exposure, server security misconfiguration and broken access control.
Source: https://www.cybersecuritydive.com/news/cisa-vulnerability-disclosure-platform/728956