bug bounty programs

A call for standard vulnerability disclosure policies

To provide more clarity and protection to security researchers who probe websites, software and other code for flaws and vulnerabilities, an industry group recommends that organizations and governments adopt coordinated vulnerability disclosure frameworks.

CVD policies detail what activities and procedures are in and out of bounds for security researchers, how they should communicate with organizations they are probing and how long they should sit on the information before going public.

white paper released March 6 by the Cybersecurity Coalition  suggests the Department of Homeland Security or another civilian department develop a policy framework for federal agencies.

Such policies should be "a standard component" of security programs at governments and private companies, and the U.S. government should promote and encourage broader adoption at home and internationally, according to the group led by former White House Senior Cybersecurity Director Ari Schwartz.

The International Organization for Standardization has a formal policy in place to govern security research, but companies and organizations are sometimes skeptical about the motives behind such outside work and can end up focusing on minimizing the public relations damage caused by disclosing a vulnerability.

Meanwhile, researchers often want to work with organizations to patch systems and products before the flaws become public, but they are also wary of letting companies call the shots when it comes to deploying fixes and disclosing the issue to outside stakeholders who may be affected. As a result, security researchers have found themselves accused of being malicious hackers when attempting to notify private companies about discovered flaws.

Congress has increasingly sought to compel some agencies to implement certain forms of incentivized CVD, with bills introduced in the past two years for bug bounty programs at DHS and the Department of State. The Department of Defense has also established procurements for legal bug bounty programs at the Pentagon, the Air Force and other branches of the military.

The federal government has gradually implemented CVD and legal bug bounty policies and recommendations on a piecemeal basis over the years. Last year the National Institute of Standards and Technology incorporated the practice into its Cybersecurity Framework

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected