The state recently launched a Vulnerability Disclosure Program (VDP), a framework that lets people legally identify and report potential security flaws in Maryland’s public-facing websites and systems. Administered by the Maryland Department of Information Technology (DoIT), the program marks a significant step in collaboration between government and the security community.
Maryland’s VDP applies across a broad network of agencies and partners, including executive branch offices, local governments, commissions and organizations that operate within networkMaryland, the state’s fiber-optic backbone connecting 137 public-sector entities.
“Threat actors are constantly expanding their arsenal of tools and tactics to breach state and local systems — the State of Maryland must be proactive and aggressive in our response,” DoIT Secretary Katie Savage said in a statement. “This VDP will help us find vulnerabilities across our state and help us keep the State of Maryland’s systems, services, and data secure.”
The VDP is operated in partnership with Bugcrowd, a third-party platform that manages vulnerability disclosure and bug bounty programs for public and private organizations worldwide. According to the state’s Acting Chief Information Security Officer James Saunders, the partnership allows Maryland to tap into an established network of researchers and proven triage workflows, “enhancing participation, increasing efficiency, and ensuring value for Maryland taxpayers.”
Bugcrowd works alongside DoIT’s Office of Security Management (OSM) to review and categorize incoming reports based on severity, exploitability and validity. Once a vulnerability is verified, OSM contacts the relevant agency or organization to initiate remediation.
“Our approach to remediation is collaborative,” Saunders said. “Whole-of-state cybersecurity is a shared responsibility, and our goal is always to work together to address issues quickly and effectively.”
At this early stage, Saunders said the average turnaround time between discovery and remediation will vary depending on the nature of the vulnerability — though they expect the timeframe to decrease as the program matures and report volume stabilizes.
DoIT’s policy includes a Safe Harbor provision protecting good-faith security researchers from prosecution when following the program’s rules. The state defines “good faith” as research conducted without malicious intent, within the VDP’s scope, and solely for the purpose of improving security. If DoIT determines that testing followed these principles, it will be considered authorized, and the department “will not recommend legal action related to the security research.”
Participation in the VDP is open for any public-facing site or service that uses official Maryland government domains — including maryland.gov, md.gov, and state.md.us — or that connects to networkMaryland. Reports must follow the program’s disclosure procedures to ensure testing remains within ethical and legal limits.
The program’s reach extends to local governments and other entities connected to the state’s network infrastructure. Saunders issued a binding operational directive Oct. 21 requiring all Maryland local governments, commissions and quasi-governmental organizations using state-managed domains or networkMaryland services to participate in the VDP process. While the directive includes enforcement provisions, DoIT is emphasizing collaboration over penalties, offering hands-on support for entities that need resources or technical help.
The agency plans to publish high-level, anonymized data showing the number and severity of vulnerabilities identified through the program as a measure of accountability. According to the state, 23 reports have been submitted and validated since the program’s launch last week.
The VDP effort also aligns with Maryland’s broader cybersecurity modernization strategy outlined in its IT Master Plan, which emphasizes building a “proactive, adaptive, and resilient cybersecurity posture.” The plan includes expanding the vulnerability management program to incorporate Bug Bounties and “Hack the State” initiatives, modernizing the statewide incident response framework, and developing measurable service-level agreements to track progress.
“Our goal,” Saunders said, “is to make cybersecurity services that state and local governments will choose to use because of their benefits, not just because they are required by law.”
