“The intent of the vulnerability disclosure platform is to provide a CISA managed central platform to facilitate the submission and tracking of vulnerabilities discovered in internet-accessible information systems of the FCEB agencies, including Independent Agencies and all Boards, Commissions, and Committees. Participation in the vulnerability disclosure platform is envisioned to be voluntary for FECB agencies, and therefore the platform needs to scale to support a potentially varying number of agencies at any time. The government desires that the vulnerability disclosure platform be a software-as-a-service web application that serves as the primary point of entry for vulnerability reporters to alert the government of potential issues on federal information systems for those agencies that participate in the platform. Remediation of identified vulnerabilities on federal information systems is intended to be the responsibility of the appropriate hosting agencies, not CISA or the vulnerability disclosure platform service provider.”
“The vulnerability disclosure platform should provide the following interfaces:
- Provides users (vulnerability reporters, agencies, CISA) direct access to the platform feature set.
- Allows reporters to submit vulnerabilities, track submissions and their status, and maintain communication (as they choose).
- Allows agencies to manage submissions and view summary statistics.
- Allows CISA to adjudicate submissions where the agency is unknown (or has been unresponsive), view statistical data and trends, run reports, export data, and view agency submissions.
- Notifications and alerts of submissions and updates can be emailed to the userbase from the platform (submission details are not included in the email) …”