The US state of Maryland has launched a statewide Vulnerability Disclosure Programme (VDP) to give ethical hackers the chance to probe systems across its government for flaws and vulnerabilities and allow them safe, straightforward and transparent reporting mechanisms.
The programme, which will be operated by bug bounty and VDP programme specialists at Bugcrowd, will give Maryland access to a well-established community of hackers, proven workflows and scalable reporting infrastructure. The state’s leaders said that working in this way would increase hacker participation, improve the efficiency of vulnerability triaging and enable internal IT teams to stay focused on remediation while maintaining value for the state’s taxpayers.
Writing on LinkedIn, acting Maryland state CISO James Saunders said: “Cyber security is often called a team sport. I believe that deeply, and more importantly, we are all on the same team. If you see something insecure, report it. Every observation helps us strengthen our defences and improve together.
“At its core, cyber security has always been about people. Technology matters, but trust, communication, and shared responsibility matter more. These efforts remind us that when we collaborate, learn, and protect one another, we make Maryland stronger – together!”
Maryland is not the first American jurisdiction to operate such a programme, California, Iowa, Ohio, Delaware, Minnesota, Idaho, New Jersey, Los Angeles, and Washington DC also operate such schemes, but the creation of the VDP at this moment in time in part reflects growing momentum among state governments to take more charge of their own affairs as cuts to the currently shutdown federal government continue.
In the cyber security sector, concerns continue to swirl following cutbacks to the Cybersecurity and Infrastructure Security Agency (CISA), which critics of the Trump administration say limits the US’ capacity to respond to cyber threats both within its borders and on the global stage.
In recent days, CISA – which sits within the Department of Homeland Security – saw its Stakeholder Engagement Division hit by sweeping layoffs, according to our sister title Cybersecurity Dive. Citing sources familiar with the matter, it reported that the latest cuts would leave units that engage with academic institutions, CNI operators, government agencies, non-profits, SMEs, and state and local governments effectively unstaffed.
Compulsory intel sharing
Meanwhile, additional to its new VDP, Maryland is expanding its in-house Information Sharing and Analysis Centre (MD-ISAC), mandating the participation of all state agencies, local governments, critical infrastructure operators and private sector partners working in the state.
Saunders said real-time collaboration and trusted information sharing were “essential to our collective resilience in today’s fast-moving cyber landscape”.
According to state leaders, a number of “critical cyber security incidents” have highlighted that Maryland lacks a single, secure, and universal channel to spread sensitive threat information and incident details in a timely manner.
Compulsory participation will give in-scope bodies access to a repository of threat indicators to allow cyber teams to research new threats and enhance detection and prevention capabilities; state specific threat data related to patterns, trends and anomalies seen on Maryland’s own systems; and continuous threat exchange collaboration capabilities.
“Maryland officials point to earlier bug bounty pilots, where researchers identified dozens of issues, as proof that involving the hacker community demonstrably reduces risk,” said Noelle Murata, senior security engineer at Xcape, a managed security services provider (MSSP).
“With James Saunders newly installed as state CISO, the project suggests a push to standardise intake, safe-harbour reporting, and remediation across agencies. The combined goal of VDP and MD-ISAC is to transform ad hoc findings into statewide speed alerts and actionable remedies.
“Maryland’s message to defenders and researchers is simple – if you see something, say something, and we’ll fix it fast, together,” she said.