Threat researchers think every sizeable organization, including the US government, should have a VDP program. “On the surface, [CISA’s program is] very good,” Dustin Childs, head of threat awareness in the Zero Day Initiative at Trend Micro, tells CSO. “Every enterprise, especially any large enterprise like the US government, should have some vulnerability disclosure platform.”
Grant Bourzikas, Cloudflare’s CSO, also views CISA’s VDP positively. “Processes and guidance like CISA’s VDP are a step toward decreasing risks and proactively driving change,” he tells CSO. “Access to a cohesive platform that makes strides towards receiving, triaging, and routing publicly disclosed vulnerabilities will help security teams with prioritization and visibility and move the needle further towards proactive measures.”
Multiple government VDP programs foster confusion
Although CISA’s VDP might have the broadest reach in terms of a number of government agencies, other major arms of the US government, including the US Department of Defense, Department of Commerce, Department of Education, State Department, and Justice Department, have their own separate VDP programs. HackerOne provides the underlying technology for many of these non-CISA VDP platforms.
