Vulnerability Disclosure Programs

Cybersecurity News Update: How VDPs are helping to protect agency websites, plus the GSA is phasing out a 50-year-old ID system

New Policy Can Protect Government Websites

                In September of last year, a new cybersecurity policy was put in place that allowed agencies to use a VDP (Vulnerability Disclosure Program). The best way to describe a VDP is that it is a “911” for “.gov” websites. A recent instance accentuates the usefulness of these programs. On April 27th, an Australian-based group of cybersecurity experts called ‘Sakura Samurai’ found an exposed workstation in the State Department’s web environment. The workstation was running an outdated version of ‘eXide’ software and also hosting an open-sourced development environment that could be accessed by hackers. Because of the old software, it essentially acted as an unlocked backdoor for hackers. They’d have access to State Department user files, including password files.

Known as “white hat” or “ethical” hacking, groups such as Sakura Samurai alert companies and governments when they discover such vulnerabilities. The fastest way for them to communicate what they discover is through a VDP, should the owner of the webspace have one set-up. Because the State Department did have a VDP, they were able to confirm the threat and shut down the system just two days after it was discovered on the other side of the world.

GSA Replacing DUNS with UEIs

                The Data Universal Number System (DUNS) was created by Dun & Bradstreet in 1962 and the Federal Government began using it in 1998. Since then, every organization that is not a federal agency, but does business with the federal government, has needed a DUNS number. This includes a variety of organizations: contractors, grantees, universities, research centers, charities, and several more. The General Services Administration (GSA) has been transitioning away from DUNS and on April 4th, 2022, the GSA systems will no longer recognize DUNS numbers. The expiration date was originally planned for December 2020.

                In 2018, GSA opened up bidding for a contract to modernize the system, and a year later, Ernst & Young was awarded a contract to administer the new ID system, plus handle the transition from DUNS. Instead of a DUNS ID number, organizations doing business with the US Government will need a unique entity ID (UEI). For contractors and grantees who already use the System for Award Management (, a UEI has likely already been automatically assigned. For organizations, such as “sub-awardees” who haven’t yet been required to use will be able to register for a UEI on starting in October.

Until Next Time,

**Written by Benjamin Derge, Financial Planner. The information has been obtained from sources considered reliable but we do not guarantee that the foregoing material is accurate or complete. Any opinions are those of Benjamin Derge and not necessarily those of RJFS or Raymond James. Links are being provided for information purposes only. Expressions of opinion are as of this date and are subject to change without notice. Raymond James is not affiliated with and does not endorse, authorize, or sponsor any of the listed websites or their respective sponsors.

Vulnerability Disclosure Programs

Vulnerability Disclosure Programs