Crownsville, MD: Today, the State of Maryland has implemented a new cybersecurity program that gives security researchers and the general public a legal pathway to report cybersecurity vulnerabilities in web-facing State of Maryland IT systems and websites.
Vulnerability Disclosure Programs (VDPs) are widely used by the federal government and private sector to identify vulnerabilities before threat actors use them to breach IT systems and websites. While some state governments have limited VDPs, the State of Maryland’s is one of the most aggressive state government VDPs in the nation. Most state VDPs cover specific agencies–Maryland’s covers all state and local systems and domains on networkMaryland™, the State’s fiber optic network, which currently has 137 public sector subscribers, including state, county, and local government organizations.
“Threat actors are constantly expanding their arsenal of tools and tactics to breach state and local systems–the State of Maryland must be proactive and aggressive in our response,” says Maryland Department of Information Technology Secretary Katie Savage. “This VDP will help us find vulnerabilities across our state and help us keep the State of Maryland’s systems, services, and data secure.”
Security Researchers and the general public must follow specific instructions within the program to report vulnerabilities legally. The program has restrictions and disclosure guidelines that protect Marylanders' security and privacy.
This VDP applies to all web-facing systems and services that are publicly accessible and either:
- Use state-managed domain names like *.maryland.gov, *.md.gov, or *.state.md.us
- Connect to the state’s secure government network, networkMaryland™
This includes:
- Executive Branch state agencies
- Several local governments, commissions, and public entities across Maryland
- Certain eligible non-state organizations that use state IT infrastructure or domains
“If you see something, say something,” says Acting State Chief Information Security Officer James Saunders. “The State of Maryland welcomes all good-faith security researchers to test our systems. Thank you in advance for using your expertise and ingenuity to protect the State of Maryland and our people.”
The public can access the
State of Maryland VDP here.
All media inquiries sh ould be sent to the Maryland of Information Technology’s Communication Office at [email protected].