Keeping track of vulnerability disclosures
- By Derek B. Johnson
- Jan 06, 2020
The General Services Administration and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency are considering a centralized cloud-based vulnerability disclosure platform for civilian executive agencies.
A December request for information asked for market research on a software-as-a-service web application that security researchers could use to alert the government of potential issues on federal internet-accessible information systems.
The platform would track incoming submissions, validate each report for legitimate bugs while filtering out errant ones, enable web-based communication between the reporter and agency during remediation efforts and allow agencies to create separate role-based accounts for their main organization and component agencies.
The platform would also track a number of metrics around each agency's disclosure program, such as the number of reports submitted, number of valid vulnerabilities identified and the median time needed to respond, validate and mitigate issues. Automatic alerts would be sent out to all parties as different stakeholders complete their tasks, and the web application would allow CISA to intervene in instances where the affected agency is unknown or unresponsive to a pending bug.
While federal civilian and military systems are often riddled with bugs, the RFI points out that the system could be beneficial to the many agencies that will likely be starting vulnerability disclosure management from scratch.
"Most federal agencies currently lack a formal mechanism to receive information from third parties about potential security vulnerabilities on their systems," the RFI notes. "Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized."
The RFI overlaps with a request from CISA for feedback from security researchers on a draft Binding Operational Directive that would compel civilian agencies to set up their own vulnerability disclosure programs.
Some security researchers have expressed concerns around legal protections and how easy it would be to contact and communicate with affected agencies. Over the years internal audits by the Government Accountability Office and agency inspectors general have found hundreds of security vulnerabilities and spotty patch management practices for U.S. weapons systems, airport screening systems, the electrical grid, unclassified nuclear systems and a host of other critical IT systems managed by the federal government.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.