Jackson Henry and John Jackson Say VDPs Give Assurance to Researchers
Security researchers often may not know the trouble they’re walking into when disclosing software vulnerabilities to an organization.
At best, the flaw gets fixed and the researchers are thanked. At worst, they might be prosecuted. But the U.S. government has opened up its arms to security researchers who responsibly disclose vulnerabilities.
In September 2020, the U.S. Cybersecurity and Infrastructure Security Agency -CISA – mandated under Binding Operational Directive 20-01 that most federal executive branch agencies create vulnerability disclosure programs, or VDPs.
The VDPs outline how security researchers can submit reports about vulnerabilities and bugs in federal IT systems and what’s in scope. And importantly, the VDPs ensure that researchers can make those reports without fear of reprisal (see: US Agencies Must Create Vulnerability Disclosure Policies).
Jackson Henry and John Jackson are with the security research group Sakura Samurai. They have disclosed vulnerabilities to agencies such as the National Science Foundation.
Henry says many researchers are still unaware of the U.S. government’s VDP programs. He says Sakura Samurai prefers to focus on VDPs rather than bug bounty programs, which tend to attract more researchers because there’s a potential…