The Department of Homeland Security is interested in acquiring a platform that third parties can use to report vulnerabilities in government systems.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information recently via the General Services Administration to identify potential vendors who can provide “a software-as-a-service web application that serves as the primary point of entry for vulnerability reporters to alert the government of potential issues on federal information systems for those agencies that participate in the platform.”
The need for such a platform comes with the recent release of a draft for DHS Binding Operative Directive 20-01, which “will require each federal agency to publish a vulnerability disclosure policy (VDP).” But very few civilian agencies actually have such programs.
CISA will manage the central vulnerability-reporting platform, and agencies can use it as shared service as they’d like. Because participation is voluntary, the RFI says, “the platform needs to scale to support a potentially varying number of agencies at any time.”
In the end, it will be the responsibility of the agencies to remediate any vulnerabilities shared on the platform.
CISA wants a platform that can screen, validate and track submitted reports, provide for communication between the individual issuing a report and the agency, issue metrics on vulnerabilities, and alert all parties when actions are taken.
The agency also wants the platform to include the options for agencies to provide bug bounties — financial rewards for reporting vulnerabilities.
GSA and DHS may decide to hold one-on-one meetings with vendors to discuss responses to the RFI.
Responses are due Jan. 15.