Threat researchers think that every large organization, including the US government, should have a VDP program. “In the face, [CISA’s program is] it’s great,” Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, told CSO. “Every business, especially any business as big as the US government, should have a risk disclosure platform.”
Grant Bourzikas, Cloudflare’s CSO, also views CISA’s VDP favorably. “Procedures and guidelines such as CISA’s VDP are a step towards risk reduction and rapid change,” he told the CSO. “Access to a unified platform that takes steps toward acknowledging, evaluating, and addressing publicly disclosed vulnerabilities will help security teams with prioritization and visibility and move the needle on proactive measures.”
Many government VDP programs encourage confusion
Although CISA’s VDP may have a broad reach in terms of many federal agencies, other major US government agencies, including the US Department of Defense, the Department of Commerce, the Department of Education, the Department of State, and the Department of Justice, have their own. separate VDP programs. HackerOne provides the underlying technology for many of these non-CISA VDP platforms.
Source link