A call for standard vulnerability disclosure policies
- By Derek B. Johnson
- Mar 08, 2019
To provide more clarity and protection to security researchers who probe websites, software and other code for flaws and vulnerabilities, an industry group recommends that organizations and governments adopt coordinated vulnerability disclosure frameworks.
CVD policies detail what activities and procedures are in and out of bounds for security researchers, how they should communicate with organizations they are probing and how long they should sit on the information before going public.
A white paper released March 6 by the Cybersecurity Coalition suggests the Department of Homeland Security or another civilian department develop a policy framework for federal agencies.
Such policies should be "a standard component" of security programs at governments and private companies, and the U.S. government should promote and encourage broader adoption at home and internationally, according to the group led by former White House Senior Cybersecurity Director Ari Schwartz.
The International Organization for Standardization has a formal policy in place to govern security research, but companies and organizations are sometimes skeptical about the motives behind such outside work and can end up focusing on minimizing the public relations damage caused by disclosing a vulnerability.
Meanwhile, researchers often want to work with organizations to patch systems and products before the flaws become public, but they are also wary of letting companies call the shots when it comes to deploying fixes and disclosing the issue to outside stakeholders who may be affected. As a result, security researchers have found themselves accused of being malicious hackers when attempting to notify private companies about discovered flaws.
Congress has increasingly sought to compel some agencies to implement certain forms of incentivized CVD, with bills introduced in the past two years for bug bounty programs at DHS and the Department of State. The Department of Defense has also established procurements for legal bug bounty programs at the Pentagon, the Air Force and other branches of the military.
The federal government has gradually implemented CVD and legal bug bounty policies and recommendations on a piecemeal basis over the years. Last year the National Institute of Standards and Technology incorporated the practice into its Cybersecurity Framework.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.