Dive Brief:
- Federal civilian agencies triaged more than 7,000 vulnerabilities submitted to the Vulnerability Disclosure Policy Platform in 2023, the Cybersecurity and Infrastructure Security Agency said Monday in an annual report on the program.
- Federal agencies remediated 872 vulnerabilities last year, a 78% increase from 2022, CISA said in the report. The federal government determined 15% of the vulnerabilities submitted to the VDP Platform last year were valid.
- The program consistently sorts through an increase in critical vulnerabilities. The VDP Platform identified 250 critical vulnerabilities in 2023, a 130% jump from 2022.
Dive Insight:
The increase in vulnerabilities identified by the VDP Platform is partly due to growing participation across the public and private sectors.
CISA established the federal government’s vulnerability management program in 2021 to help federal civilian agencies field software defect discoveries from researchers and remediate them.
The program ended 2023 with support from 51 federal agencies and 3,246 public security researchers, of which more than 1,700 joined last year.
“As additional agencies continue to onboard to the VDP Platform, the number of vulnerabilities identified and remediated will continue to increase, leading to a more secure federal environment,” CISA said in its annual report.
Participating agencies validated vulnerability submissions two days faster than non-participating agencies, on average. Agencies involved in the VDP Platform last year saved an estimated average of $4.45 million in potential remediation costs for critical and severe vulnerabilities, CISA said.
The top five classes of vulnerabilities identified through the VDP Platform in 2023 include: cross-site scripting, server-side injection, sensitive data exposure, server security misconfiguration and broken access control.
