View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 28, 2019updated 29 Nov 2019 9:53am

Hackers Welcome! US Gov’t to Demand Agencies Have White Hat-Friendly Vuln. Disclosure Policy

"The federal government has a reputation for being defensive or litigious in dealing with outside security researchers"

By CBR Staff Writer

CISA, the US government’s cybersecurity agency, has published a draft directive requiring all civilian agencies to establish a security researcher-friendly vulnerability disclosure policy — so that can white hat hackers are welcomed and have clear processes when they want to report a vulnerability. 

As CISA notes: “Most federal agencies lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems. Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”

In a draft directive published late Wednesday, November 27, the federal agency (established in 2018) adds: “These circumstances create an environment that delays or discourages the public from reporting potential information security problems to the government, which can prevent these issues from being discovered and fixed before they are exploited or publicly disclosed.”

vulnerability disclosure policy

Move will be hugely welcomed by security researchers.

Vulnerability Disclosure Policy 

Security researchers who have found and seek to report a vulnerability in an organisation’s online infrastructure can still find themselves hitting a brick wall at best. (At worst they can face legal threats and bluster; nobody likes be exposed as vulnerable and hacker-friendly cultures remain rare). 

The Cybersecurity and Infrastructure Security Agency recognises that issue in the draft, saying: “To many in the security community, the federal government has a reputation for being defensive or litigious in dealing with outside security researchers. Compounding this, many government information systems are accompanied by strongly worded legalistic statements warning visitors against unauthorized use. Without clear, warm assurances that good faith security research is welcomed and authorized, researchers may fear legal reprisal, and some may choose not to report at all.”

Most forward-thinking enterprises now recognise that there is a lively ecosystem of hackers-who-help, rather than hinder. But while bug bounties proliferate, there is no shortage of businesses and public sector bodies with no vulnerability disclosure policy, portal, or security culture. 

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

CISA is taking comments on the draft directive now and through to December 27, 2019. As stands, the directive requires each agency to develop and publish a vulnerability disclosure policy (VDP), and maintain supporting handling procedures. As CISA puts it: “Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies.”

The move is likely to be hugely welcomed by security companies and security researchers alike. This side of the Atlantic, government agencies have been notably slower to set up the kinds of bug bounty programmes that proliferate in the US, although the UK’s NCSC as of December 2018 has a portal that allows security researchers to report public agency vulnerabilities directly to it.

As it noted last year: ““The quickest way to remediate a security vulnerability is to report it to the system owner. However we appreciate that it can be hard to find the right contact, so researchers can now report the vulnerability to us.”

Marco Rottigni, EMEA CTO at security firm Qualys told Computer Business Review: “I endorse very much the idea of setting precise timelines (e.g. 180 days) for complying with the directive. Such proactive pressure is very much needed.”

Read this: Landmark GCHQ Publication Reveals Vulnerability Disclosure Process

 

 

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU