Since 2021, the Cybersecurity and Infrastructure Security Agency (CISA) has partnered with Bugcrowd and EnDyna to operate the Vulnerability Disclosure Program (VDP) Platform to help Federal Civilian Executive Branch (FCEB) agencies identify and address security vulnerabilities in their infrastructure. The platform’s usage grew dramatically in 2023, with over 7,000 vulnerabilities reported across 50+ federal agencies—a 132% increase from 2022. To better understand the growing impact of the VDP platform, CISA released its annual report, analyzing trends and impact across participating agencies. In this blog post, we’ll dive into the results and share takeaways that can benefit public sector organizations at all levels.
An overview of CISA’s VDP platform
A VDP is a structured framework for security researchers to document and submit potential vulnerabilities to organizations via a safe, trusted channel without receiving compensation in return—like a “neighborhood watch” for vulnerability discovery. VDPs help organizations mitigate risk by disclosing vulnerabilities and thus enabling security teams to remediate such vulnerabilities before malicious actors exploit them.
BOD-20-01 requires all FCEB agencies to develop and publish a vulnerability disclosure policy to strengthen their cybersecurity posture. However, running a self-managed VDP is often prohibitively resource-intensive because of the significant administrative overhead stemming from having to handle disclosed vulnerabilities, triaging reports, corresponding with security researchers, and meeting compliance and reporting requirements. This administrative burden can divert critical resources away from the fixing of critical vulnerabilities.
This challenge is why CISA partnered with the Bugcrowd EnDyna team to create a shared VDP platform for FCEBs. This solution enables collaboration with the security research community, improving security and coordinated disclosure across 50+ participating agencies. The platform’s key offerings are:
- Automatic screening: Detects spam and performs a base-level validation and triage on all submitted reports.
- Centralized communication: Provides a web-based communication channel to streamline communication between the agency and individual researchers.
- Compliance and reporting: Generates reporting metrics that satisfy BOD 20-01’s requirements.
- Bug bounty integration: Simplifies the creation and management of bug bounty programs, which offer financial incentives to researchers searching for vulnerabilities.
Over 50 FCEB agencies have been onboarded to the platform, including the following:
- Department of Homeland Security
- Environmental Protection Agency
- Federal Trade Commission
- National Aeronautics and Space Administration
- Department of Treasury
Annual report highlights
In September 2024, CISA released an annual report outlining the impact and achievements of the VDP platform. Here are some of the key takeaways:
Expanded platform adoption: In 2023, the platform onboarded 11 new agencies and quickly became the leading vulnerability reporting channel for FCEB agencies. By Q4, 90% of all vulnerability submissions to FCEB agencies came through the VDP platform. The platform’s reach was apparent: participating agencies received an average of 155 more vulnerability reports than non-participating agencies.
Increased vulnerability detection: The platform identified 1,094 valid vulnerabilities, an 82% increase from 2022. Notably, 307 were classified as critical or severe—marking a 2x increase from the previous year.
Accelerated remediation efforts: The platform significantly improved response times, with participating agencies validating submissions two days faster than non-participating agencies. This efficiency drove a 78% increase in vulnerability remediation, resulting in agencies fixing 872 vulnerabilities in 2023. The NASA VDP program manager explains, “[The VDP platform] has benefited us quite a bit… All the information is there. It has filtered tickets and allows us to streamline information to our product team quicker.”
Demonstrated cost savings: In 2023, agencies remediated 307 critical and severe vulnerabilities before they could be exploited. This resulted in an estimated average savings of $4.5 million in potential breach-related costs.
Growing global research community: In 2023, the platform doubled the size of its security researcher community, with 892 security researchers submitting vulnerabilities. As gh0st_prathamesh, a public security researcher, explains, “It’s good to see most of [the] VDP programs in one platform… which makes it easy to… start hunting for vulnerabilities—much easier than visiting each organization separately and reporting vulnerabilities manually.” This expanded talent pool brings fresh perspectives and specialized skills, which help agencies identify unconventional threats more effectively.
Elevating security maturity: In 2023, two agencies launched bug bounty programs for the rigorous inspection of critical systems. These programs strengthen cybersecurity by attracting top-tier researchers who are financially rewarded for discovering critical vulnerabilities. Through these initiatives, 815 researchers were invited to examine 56 systems, identifying 229 vulnerabilities and earning $335,000 in bounty payouts, averaging nearly $1500 per accepted submission.
A new era in federal cybersecurity
As more agencies embrace the VDP platform, it will continue strengthening the federal cybersecurity ecosystem. Kent Wilson, VP of Global Public at Bugcrowd, notes, “This report is exciting because it shows more federal agencies are recognizing the power of crowdsourced security measures like VDPs. By embracing them, they’re proactively finding and fixing hundreds more vulnerabilities every year, despite limited resources.”
The VDP platform’s success shows what the public sector can gain by embracing crowdsourced security initiatives. From local governments to state agencies, these organizations deliver crucial services and safeguard vast amounts of sensitive information, making them attractive targets for cyberattacks. By strengthening security before a breach occurs, these entities can better protect citizens and maintain public trust. “The evolving threat landscape is precisely why collaborating with the research community is essential,” Kent explains. “The VDP platform shows such programs can be a powerful ally for the public sector, bringing extra capacity and valuable expertise. Luckily, the research community is eager and ready to help.”
For a detailed look at how the VDP platform is reshaping vulnerability management, read the full annual report.