Cyber group calls for coordinated vulnerability disclosure policies

By stock illustration ID: 319582172 

A white paper released March 6 by the Cybersecurity Coalition, an industry group led by former White House Senior Cybersecurity Director Ari Schwartz, recommends that organizations and governments adopt coordinated vulnerability disclosure (CVD) frameworks.

The paper also suggests placing the Department of Homeland Security or another civilian department in charge of developing a policy framework for federal agencies, and it calls for more federal funding for resources like the Common Vulnerability and Exposures and National Vulnerability Database programs.

The Cybersecurity Coalition argues that such policies should be "a standard component" of security programs at governments and private companies and that the U.S. government should promote and encourage broader adoption at home and internationally. The group does not support government bodies acting as arbiters for the private sector, however.

CVD policies are designed to provide clarity to third parties who probe websites, software and code for flaws regarding what activities and procedures are in and out of bounds, how to communicate with the organization and how long to sit on the information before going public.

The International Organization for Standardization has a formal policy in place to govern such interactions, but companies and organizations are sometimes skeptical about the motives behind such outside research and can end up focusing on minimizing the public relations damage caused by disclosing a flaw. Meanwhile, researchers often want to work with organizations to patch systems and products before the flaws become public, but they are also wary of letting companies call the shots when it comes to deploying fixes and disclosing the issue to outside stakeholders who may be affected. As a result, security researchers have found themselves accused of being malicious hackers when attempting to notify private companies about discovered flaws.

Congress has increasingly sought to legislatively compel some agencies to implement certain forms of incentivized CVD, with bills introduced in the past two years for bug bounty programs at DHS and the Department of State. The Department of Defense has also established procurements for legal bug bounty programs at the Pentagon, the Air Force and other branches of the military.

The federal government has gradually implemented CVD and legal bug bounty policies and recommendations on a piecemeal basis over the years. Last year the National Institute of Standards and Technology incorporated the practice into its Cybersecurity Framework

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected