Maryland’s new cybersecurity program will give security researchers and the general public a legal pathway to report cybersecurity vulnerabilities of state systems and websites, officials said.
The state said Vulnerability Disclosure Programs (VDPs) are used by the federal government and the private sector to identify vulnerabilities before threat actors can take advantage of them to breach IT systems and websites. While some states have limited VDPs, Maryland said its is one of the most aggressive state government VDPs in the country, covering all of the state and local systems, as well as domains on networkMaryland, the state’s fiber optic network. That network currently has 137 public sector subscribers, including state, county, and local government organizations.
“Threat actors are constantly expanding their arsenal of tools and tactics to breach state and local systems–the State of Maryland must be proactive and aggressive in our response,” Maryland Department of Information Technology Secretary Katie Savage. Said. “This VDP will help us find vulnerabilities across our state and help us keep the State of Maryland’s systems, services, and data secure.”
Officials said security researchers and the public will have to follow specific instructions within the program to legally report vulnerabilities. Restrictions and disclosure guidelines within the program protect Marylanders’ security and privacy, officials said.
The VDP applies to publicly accessible web-facing systems and services using state-managed domain names like Maryland.gov, md.gov, or state.md.us, and that connect to networkMaryland, including executive branch state agencies, local governments, commissions and public entities across the state and some non-state organizations that use the state’s IT infrastructure or domains.
“If you see something, say something,” Acting State Chief Information Security Officer James Saunders said. “The State of Maryland welcomes all good-faith security researchers to test our systems.”