Federal Agencies have been ordered to stop threatening and start thanking security researchers for reporting vulnerabilities in their internet-facing infrastructure.
The demand comes via a new “binding operational directive” (BOD) from the US’s Cybersecurity and Infrastructure Security Agency (CISA) published September 2.
This requires each agency to develop and publish a Vulnerability Disclosure Policy (VDP) and “maintain supporting handling procedures”. within 30 days.
In practice, that means setting up/updating a security@ contact for each .gov domain, regularly monitoring the email address associated with it, and staffing it with personnel “capable of triaging unsolicited security reports for the entire domain.”
Security professionals are about to get even more in demand…
Want to Poke Holes in .gov Domains? Maybe Wait Another 180 Days…
Agencies have longer (180 days) to clearly spell out what is in scope; at least “one internet-accessible production system or service must be”, CISA says.
The policy must also include “commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy, and deem that activity authorized.”
As CISA Assistant Director Bryan Ware notes: “Imagine walking your neighborhood in the cool dawn and noticing a home at the end of the block engulfed in flames. You look around. No one else appears to have noticed yet. What do you do? You’ll likely call 911, share the address of the burning home, and stick around to help if needed.
“Now, imagine visiting a government web application – say, website.gov – on a balmy evening and noticing an open redirect on the site. You click around. Nothing on the site hints at how to report this. What do you do? If you’re into cybersecurity, you might send a short email to firstname.lastname@example.org, pulse some contacts when it bounces, and tweet something spicy about website.gov. It doesn’t have to be this way…”
The move comes after CISA in November — as reported by Computer Business Review — asked for feedback on a draft operational directive, BOD 20-01, which would require most executive branch agencies to create a VDP that spells out to those who find flaws in an agency’s digital infrastructure “where to send a report, what types of testing are authorized for which systems, and what communication to expect in response.”
As CISA’s Bryan Ware noted, however, the federal vulnerability disclosure requirement is not a chance for over-eager vendors to start pitching their wares.
“A final note to those people who find and report vulnerabilities: we see your work, we want to help, and we appreciate you. To others that would use these new ways to reach agencies, please: this is not a business development opportunity, and pitches to email@example.com aren’t going to be appreciated.
“Don’t @cisagov on your spicy tweets.”
Full details of the binding operational directive are here.