When the Cybersecurity and Infrastructure Security Agency (CISA) launched the Secure by Design (SBD) pledge in May 2024, I was very optimistic. Bold ideas are common cybersecurity, but lasting change hinges entirely on execution. SBD’s rapid uptake—over 250 signatories including heavyweights like AWS and Google—demonstrates widespread agreement on the urgent need for improved software security.

In this blog, I’ll share some background on the SBD pledge, breakdown the impact of the pledge six months in, and share how the greater security community can sustain this movement.

 

What is the SBD pledge?

SBD is a voluntary pledge that asks enterprise software vendors to make a good-faith effort to make measurable progress across seven security goals in the course of a year, including: 

  • Increasing the use of multi-factor authentication (MFA)
  • Reducing default passwords
  • Reducing the prevalence of one or more vulnerability classes
  • Increasing customer installation of security patches
  • Publishing a vulnerability disclosure program (VDP)
  • Issuing Common Vulnerabilities and Exposures (CVE) reports for critical vulnerabilities
  • Increase customer’s ability to detect cybersecurity intrusions in the vendor’s product

While CISA provides helpful guidance on approaching these goals, it leaves the specific implementation approach up to the vendor. Those who make progress are encouraged to share their journey publicly, allowing organizations to demonstrate their security leadership.

 

The impact of SBD so far

The pledge itself is commendable, outlining clear, actionable goals that provide a practical, achievable roadmap for organizations to significantly improve their security posture. But enthusiasm alone won’t fix software security. Six months in, many signatories have yet to publicly share tangible progress, creating a troubling accountability gap. Without transparency and demonstrable follow-through, the initiative risks becoming another checkbox exercise, undermining the very culture change it seeks to inspire.

Fortunately, there are bright spots. Companies like Tenable and Trend Micro have publicly shared detailed progress, openly tracking their achievements and challenges. Newer entrants like Vanta have embraced radical transparency, regularly updating the community and actively inviting feedback. Google and Microsoft have also notably aligned their internal initiatives with SBD’s principles, demonstrating significant internal shifts toward secure-by-default practices.

These examples offer valuable blueprints for other organizations, showing that transparency is achievable—and powerful. Visibility into real-world efforts encourages healthy competition, motivating companies to deliver measurable security improvements.

 

How we can amplify the SBD movement

Drawing from these lessons, here are a few tips for how the security community can sustain and even amplify the SBD movement: 

  • Formalize transparency: CISA should publish periodic updates and an annual progress report to highlight successes and hold lagging companies accountable. Transparency must remain central, not optional.
  • Expand Secure by Design: We must extend these principles beyond enterprise software to cloud infrastructure, IoT devices, and open-source ecosystems. Broader adoption will elevate baseline security across the entire industry.
  • Consider incentives—and regulation: Voluntary compliance has sparked initial enthusiasm, but lasting change may require strategic regulation or procurement standards, ensuring baseline security is mandatory, not optional.

Bugcrowd’s data already highlights positive shifts: increased adoption of vulnerability disclosure programs and heightened conversations around ethical hacker collaboration. Companies are recognizing that vulnerability disclosure is essential—not just aspirational.

Now it’s time to translate pledges into action. Companies need to publicly demonstrate progress and maintain accountability, not just quietly but visibly. At Bugcrowd, we understand the challenges companies face in meeting SBD’s VDP requirements. We offer a range of solutions, from compliance-focused VDPs to robust programs for organizations expecting significant vulnerability disclosures.

Secure by Design isn’t just a pledge; it’s a promise to our users, customers, and industry peers. Let’s turn that promise into reality, ensuring transparency, accountability, and measurable progress.

 

Start your SBD journey with Bugcrowd

Ready to advance your SBD journey? Bugcrowd can help.

A great place to start is with a vulnerability disclosure program. Bugcrowd offers a range of options, from a free compliance-focused VDP to comprehensive programs for organizations expecting higher submission volumes. If you’re interested in collaborating, learn more about our VDP packages. 

 

Tags: