Researchers can report vulnerabilities on a ‘no blame’ basis
New Zealand's Government Communications Security Bureau (GCSB) has advised government agencies to introduce vulnerability disclosure policies (VDPs).
Each agency will be responsible for creating its own policy, based on the sensitivity of the information it holds, the security measures already in place, and its ability to segment its network or otherwise segregate sensitive information. Vulnerabilities should be patched, mitigated or managed within 90 days.
“The GCSB has included the requirement for a vulnerability disclosure policy in the New Zealand Information Security Manual to make it clear that public service agencies are expected to make it easy for people to tell them about vulnerabilities they see,” a GCSB spokesperson told the The Daily Swig.
“Each agency is responsible for their own policies, and the handling and triage of reported vulnerabilities themselves, as they are best placed to understand their IT environments and any dependencies they may have with managed service providers or software vendors.”
Researchers can report vulnerabilities on a ‘no blame’ basis, without fear of repercussion or penalty, as long as the disclosure policy is followed, and no illegal activity is undertaken. Unfortunately, though, there won't be any bounties on offer, and agencies are expected to place limits on web site, system or application probing.
“Historically, most legal frameworks around the world still don't acknowledge the difference between a hacker operating in good faith, and a cybercriminal or malicious attacker,” Casey Ellis, founder, CTO, and chairman of bug bounty platform Bugcrowd, told the The Daily Swig.
“VDP aligns expectations, and creates safe harbor for folks who have information or want to help, but are otherwise chilled from doing so because of the legal ambiguity and risk.”
New Zealand is just the latest nation to start mandating VDPs for government agencies, with the US last year issuing Binding Operational Directive 20-01, which requires federal civilian agencies to develop and publish VDPs for their internet-accessible systems and services.
“Other countries have begun implementing similar mandates, such as the UK’s Product Security and Telecommunications Infrastructure Bill (PSTI), which mandates manufacturers, importers and distributors to meet minimum security requirements for all connectable products that are available to consumers, including having a VDP,” Christopher Dickens, security engineer at bug bounty platform HackerOne, told The Daily Swig.
“Other governments are sure to follow, and once VDPs are mandated everyone, from governments to businesses, will do it.”