Majority of government sectors now obliged to take part in initiative

US federal agencies will be required to implement a vulnerability disclosure process

The US government has released a new directive requiring all executive agencies to implement a vulnerability disclosure policy (VDP) to help secure their networks.

An operational directive released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will make it mandatory for “most” government agencies to create an easily accessible security disclosure program for public use.

The report, BOD 20-01, was released for public comment last November. CISA said it received more than 200 recommendations from security researchers, academics, and federal agencies.

A final draft was issued this week, which provides guidance for federal agencies on how to implement a VDP.

Similar to bug bounties, where a financial reward is offered to researchers who unearth security vulnerabilities, a VDP is a policy that allows ethical hackers to report bugs, albeit without a cash incentive.

Safe harbor clauses are often added to a VDP, which enable researchers to test systems and networks without fear of legal reprimand.

‘As easy as dialing 911’

“BOD 20-01 is part of CISA’s renewed commitment to making vulnerability disclosure to the civilian executive branch as easy conceptually as dialing 911,” a statement from CISA reads.

This will be achieved by making agency-specific VDPs easily accessible – for example, by adding an easy-to-find security contact and publicly posting details of the security policy.

CISA will also act as a backstop for any issues that cannot be reported to a US government agency directly.

RELATED US government offers $10m reward for information on cyber interference in elections

The statement reads: “To centralize part of this effort, CISA will offer a vulnerability disclosure platform service next spring.

“We expect this will ease operations at agencies, diminish their reporting burden under this directive, and enhance discoverability for vulnerability reporters.”

Welcome news

Alex Rice, CTO and co-founder of bug bounty platform HackerOne, welcomed the changes.

“HackerOne believes that CISA’s Binding Operational Directive is a pivotal milestone in the mission to restore trust in digital democracy and protect the integrity of federal information systems,” he said.

“Every organization, especially those protecting sensitive information, should have a public-facing way to report potential security gaps.”

Rice added: “The government is leaping ahead of much of corporate America. HackerOne applauds CISA’s detailed implementation guide, and we are eager to assist federal entities in their important work ahead.

“We will look back on this moment years from now to recognize it as a turning point in America’s fight for trustworthy technology.”

Security steps

The push towards government-led VDPs follows CISA’s announcement that it will provide funding for state, local, tribal, and territorial organizations to access a DNS security tool.

The Malicious Domain Blocking and Reporting service was built by CISA with Akamai and the Center for Internet Security.

SLTT security teams will be able to access the tool as part of a 12-month program, the agency said.

READ MORE US DoJ to shut down 300 fraudulent websites exploiting coronavirus