“The federal government has a reputation for being defensive or litigious in dealing with outside security researchers”
CISA, the US government’s cybersecurity agency, has published a draft directive requiring all civilian agencies to establish a security researcher-friendly vulnerability disclosure policy — so that can white hat hackers are welcomed and have clear processes when they want to report a vulnerability.
As CISA notes: “Most federal agencies lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems. Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”
In a draft directive published late Wednesday, November 27, the federal agency (established in 2018) adds: “These circumstances create an environment that delays or discourages the public from reporting potential information security problems to the government, which can prevent these issues from being discovered and fixed before they are exploited or publicly disclosed.”
Vulnerability Disclosure Policy
Security researchers who have found and seek to report a vulnerability in an organisation’s online infrastructure can still find themselves hitting a brick wall at best. (At worst they can face legal threats and bluster; nobody likes be exposed as vulnerable and hacker-friendly cultures remain rare).
The Cybersecurity and Infrastructure Security Agency recognises that issue in the draft, saying: “To many in the security community, the federal government has a reputation for being defensive or litigious in dealing with outside security researchers. Compounding this, many government information systems are accompanied by strongly worded legalistic statements warning visitors against unauthorized use. Without clear, warm assurances that good faith security research is welcomed and authorized, researchers may fear legal reprisal, and some may choose not to report at all.”
Most forward-thinking enterprises now recognise that there is a lively ecosystem of hackers-who-help, rather than hinder. But while bug bounties proliferate, there is no shortage of businesses and public sector bodies with no vulnerability disclosure policy, portal, or security culture.
CISA is taking comments on the draft directive now and through to December 27, 2019. As stands, the directive requires each agency to develop and publish a vulnerability disclosure policy (VDP), and maintain supporting handling procedures. As CISA puts it: “Vulnerability disclosure policies enhance the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public. This helps safeguard the information the public has entrusted to the government and gives federal cybersecurity teams more data to protect their agencies.”
The move is likely to be hugely welcomed by security companies and security researchers alike. This side of the Atlantic, government agencies have been notably slower to set up the kinds of bug bounty programmes that proliferate in the US, although the UK’s NCSC as of December 2018 has a portal that allows security researchers to report public agency vulnerabilities directly to it.
As it noted last year: ““The quickest way to remediate a security vulnerability is to report it to the system owner. However we appreciate that it can be hard to find the right contact, so researchers can now report the vulnerability to us.”
Marco Rottigni, EMEA CTO at security firm Qualys told Computer Business Review: “I endorse very much the idea of setting precise timelines (e.g. 180 days) for complying with the directive. Such proactive pressure is very much needed.”