Researchers can report vulnerabilities on a ‘no blame’ basis

News Zealand has introduced a mandatory vulnerability disclosure policy for government agencies

New Zealand's Government Communications Security Bureau (GCSB) has advised government agencies to introduce vulnerability disclosure policies (VDPs).

In its latest security manual, the GCSB said agencies should establish a process that would allow members of the public to report potential software vulnerabilities or other security problems.

Each agency will be responsible for creating its own policy, based on the sensitivity of the information it holds, the security measures already in place, and its ability to segment its network or otherwise segregate sensitive information. Vulnerabilities should be patched, mitigated or managed within 90 days.

Catch up on the latest bug bounty-related news and analysis

“The GCSB has included the requirement for a vulnerability disclosure policy in the New Zealand Information Security Manual to make it clear that public service agencies are expected to make it easy for people to tell them about vulnerabilities they see,” a GCSB spokesperson told the The Daily Swig.

“Each agency is responsible for their own policies, and the handling and triage of reported vulnerabilities themselves, as they are best placed to understand their IT environments and any dependencies they may have with managed service providers or software vendors.”

Researchers can report vulnerabilities on a ‘no blame’ basis, without fear of repercussion or penalty, as long as the disclosure policy is followed, and no illegal activity is undertaken. Unfortunately, though, there won't be any bounties on offer, and agencies are expected to place limits on web site, system or application probing.

Safe harbor

“Historically, most legal frameworks around the world still don't acknowledge the difference between a hacker operating in good faith, and a cybercriminal or malicious attacker,” Casey Ellis, founder, CTO, and chairman of bug bounty platform Bugcrowd, told the The Daily Swig.

“VDP aligns expectations, and creates safe harbor for folks who have information or want to help, but are otherwise chilled from doing so because of the legal ambiguity and risk.”

New Zealand is just the latest nation to start mandating VDPs for government agencies, with the US last year issuing Binding Operational Directive 20-01, which requires federal civilian agencies to develop and publish VDPs for their internet-accessible systems and services.

“Other countries have begun implementing similar mandates, such as the UK’s Product Security and Telecommunications Infrastructure Bill (PSTI), which mandates manufacturers, importers and distributors to meet minimum security requirements for all connectable products that are available to consumers, including having a VDP,” Christopher Dickens, security engineer at bug bounty platform HackerOne, told The Daily Swig.

“Other governments are sure to follow, and once VDPs are mandated everyone, from governments to businesses, will do it.”

YOU MAY ALSO LIKE Google Project Zero hails dramatic acceleration in security bug remediation