Emailed comment from Adam Bernstein, HUD OIG #83
Labels
20-01
VDP directive
Comments
|
The vulnerabilities are already there, and attackers can find them and won't tell you about them. Bringing attention to the underfunding seems like it would be a good thing, no? |
|
Acknowledging that the vulnerabilities are there, and the underlying problem that many Federal programs are underresourced to address cybersecurity program requirements and vulnerability mitigation, is a VDP the solution to what is essentially a resource availability, allocation and/or prioritization problem? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
US government agencies currently have many systems in operation with known vulnerabilities and weaknesses and limited funds or resources to mitigate the issues. The agencies continue to operate the systems because they accept the security risk in order to not impede the agency mission. If the systems become non-operational during an attack, then the assumption is that appropriations will then be provided to mitigate the issue. These legacy and underfunded systems should never be a part of any vulnerability disclosure program because the discovery of more vulnerabilities without the ability for remediation will only further weaken the country’s IT systems.
The text was updated successfully, but these errors were encountered: