For public sector organizations, cybersecurity has gone from being a technical concern to being a central part of their operational strategies and national security priorities. Government agencies reported a 40% increase in targeted attacks, while vulnerability submissions to government sector programs surged 151% over the past year.
While the expanded attack surface presents significant risks, the increasingly connected world also offers unprecedented opportunities to strengthen our defenses. The same global reach that creates vulnerabilities also provides access to a worldwide community of security researchers who can help governments stay ahead of new threats.
To make the most of the diverse talents of this community, organizations need to position themselves as partners and allies of the broader security community while maintaining the stringent security standards that public sector operations demand.
Bugcrowd recently achieved FedRAMP Moderate Authorization, sponsored by CISA. This milestone validated that Bugcrowd meets the U.S. government’s stringent security requirements for protecting sensitive data via the Bugcrowd Platform. You can learn more about this achievement in this solutions brief.
This FedRAMP authorization isn’t the only thing validating Bugcrowd’s ability to elevate crowdsourced security in the public sector. We’ve compiled three case studies, specific to federal and state government agencies, to help others in the public sector understand how Bugcrowd can help them.
In 2020, CISA issued BOD 20-01, requiring all Federal Civilian Executive Branch agencies to develop and publish vulnerability disclosure policies. However, implementing these programs proved challenging for agencies, especially those with small or no dedicated security teams, due to resource constraints. Agencies faced significant administrative overhead in handling disclosed vulnerabilities, triaging reports, corresponding with researchers, and meeting compliance requirements.
In response, CISA partnered with Bugcrowd to launch the first federal civilian crowdsourced vulnerability disclosure platform. The platform was quick to prove its use and effectiveness. Within its first 33 months, over 40 federal agencies had been onboarded, including NASA, the Department of the Treasury, and Homeland Security. They have since received more than 15,000 vulnerability reports. In 2022 alone, the program validated 1,330 unique vulnerabilities, including 274 critical or severe findings, with 1,119 successfully remediated. The Department of Labor saw a dramatic improvement, stating “We went from very little activity to a lot of activity, just by joining the VDP platform.”
The success continued to grow, with participating agencies seeing 67 more vulnerability submissions in their first quarter compared to non-participating agencies, and 90% of all submissions in Q4 of 2023 came through the platform. Agencies using the platform validated submissions two days faster than nonparticipating agencies, resulting in an estimated $4.45 million saved in potential remediation costs for critical and severe vulnerabilities. The researcher community expanded significantly, with 1,718 researchers submitting reports in 2023—nearly double the number from the previous year.
As AI applications become increasingly central to government operations, the Department of Defense’s CDAO faced the critical challenge of ensuring both the security and fairness of their AI-enabled systems. The existing testing and security measures proved insufficient for detecting data bias and other AI-specific vulnerabilities in these complex systems.
Recognizing this growing problem, CDAO partnered with Bugcrowd and ConductorAI to implement an innovative crowdsourced security program. The program conducted public adversarial testing of LLM systems for bias on behalf of the Department of Defense. The program utilizes Bugcrowd’s CrowdMatch technology to source and activate researchers with specialized skills, implementing a reward-for-results model where participants are paid based on the successful demonstration of impact. The program represents a significant milestone, as it conducted the first public adversarial testing of LLM systems for bias within the Department of Defense, establishing a proven framework for AI security testing in the public sector and paving the way for future AI testing and innovation.
Facing the challenge of protecting sensitive information for a diverse range of constituents, including voters, political candidates, and business owners, the Office of the Minnesota Secretary of State sought to proactively reduce risk exposure by innovating in security. It decided to engage with the security researcher community through a VDP, recognizing that its systems were already constantly being probed and that there were significant benefits to proactively leveraging the skills of security researchers.
Partnering with Bugcrowd, the Office implemented a VDP that quickly yielded positive results. The program led to the discovery of hidden high-impact vulnerabilities, reduced noise in its security operations, and helped build productive relationships with the security researcher community. The Office achieved its goals of receiving legitimate, actionable vulnerability reports, with submissions being triaged in an average of 1.8 days. Learn more about this story by downloading the full case study.
To learn more about Bugcrowd’s solutions, download the Ultimate Guide to Offensive Security in the Public Sector.