Gov seeks public comment on directive

US federal agencies may soon be mandated to have vulnerability disclosure policies

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is planning a directive requiring all federal agencies to create and publish a vulnerability disclosure policy (VDP).

According to CISA, most federal agencies lack any formal mechanism to receive information from third parties about potential security vulnerabilities in their systems, and many have no defined strategy for handling reports when they do come in.

“A VDP allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” says Jeanette Manfra, CISA's assistant director for cybersecurity, in a statement published late last week.

“It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.”

CISA is now seeking public comment on a draft binding operational directive, BOD 20-01, that would mandate a VDP and appropriate handling procedures.

There's a tight timetable: agencies would be expected to add one new system or service to the VDP every 90-days, and any new systems would have to be included from the start. All internet-accessible systems must be in scope within two years, and while the directive doesn't mandate bug bounties, agencies are free to offer them if they wish.

“We think a single, universal vulnerability disclosure policy for the executive branch is a good goal,” says Manfra.

“It makes sense particularly when each agency has all internet-accessible systems in scope, but we expect that goal to be an unrealistic starting place for most agencies.”

Instead, she says, the aim is to gradually widen the scope of the program, allowing each agency to “level up incrementally”.

In the past, researchers have been wary of reporting vulnerabilities in government systems or those of associated agencies, thanks to the lack of a reporting mechanism paired with unsympathetic legislation – both federal agencies and commercial organizations have, at times, targeted security researchers under hacking laws.

But this latest move forms part of an increasing focus on vulnerability disclosure on the part of the government, with the Office of Management and Budget (OMB) also issuing a draft policy this week that would require all federal agencies to publish a VDP within 180-days.

In recent years, the government has started sponsoring bug bounty programs such as the Hack the Pentagon, Hack the DTS, Hack the Air Force, and Hack the Army.

Katie Moussouris, CEO of Luta Security, says she expects the tight timelines will see organizations outsourcing.

“Yes, I know it *says* this isn’t to force bug bounties,” she writes on Twitter.

"But if you look at the dates for complying, the urgency language used in pushing the concept that has been documented & implemented for decades as vuln disclosure, most orgs will only have time for outsourcing to platforms.”

CISA is seeking public comment on the directive up until December 27, 2019. 

YOU MIGHT ALSO LIKE Bug Bounty Radar // November 2019