2023-08-26 16:18:32
Vulnerability as a business: US saves millions on cybersecurity
The US Federal Government’s Internal Cybersecurity Vulnerability Center accepted over 1,300 valid reports in its first 18 months of operation. This resulted in savings of approximately $4.35 million in response and system recovery costs, according to the first annual report programs.
The Vulnerability Disclosure Policy (VDP) platform has experienced “tremendous growth” in the short time since its launch in July 2021, including 40 agency programs. The main purpose of the VDP is to provide an organized way for agencies to obtain vulnerability data from cybersecurity researchers and other sources and disseminate it throughout the government. It should be noted that agencies generally do not provide rewards for direct submissions, but do reward participants for finding bugs in contests.
Vulnerability data is reported to the Cybersecurity and Infrastructure Security Agency (CISA), an agency responsible for protecting US critical infrastructure from cyberthreats. It monitors and analyzes threats, develops security recommendations, and provides technical and information support to organizations in the industry. CISA also works with other government agencies and the private sector to improve cybersecurity in the country.
” data-html=”true” data-original-title=”CISA”>CISA, which collects them to further review and resolve important security issues. As the report says: “VDP allows agencies to identify and fix vulnerabilities in their software or systems before they are exploited by hackers. The program also encourages researchers to report vulnerabilities and demonstrates the federal agencies’ commitment to transparency and collaboration with the security research community.”
By December 2022, the VDP platform had fixed 1,119 vulnerabilities out of 1,330 verified and confirmed reports. The remaining problems were “resolved by compensatory measures,” according to Jim Sheire, CISA’s head of cybersecurity.
Among the most commonly reported errors are cross-site scripting (XSS), misconfigurations, and data leakage due to poorly designed web applications or weak encryption.
This week, lawmakers introduced a bill that would extend the obligation to disclose vulnerabilities to federal contractors, and not just to the agencies themselves. For defense matters, the War Department has separate vulnerability disclosure programs.
1693069304
#saves #millions #cybersecurity
