Cybersecurity

DHS, OMB prep bug bounty rollout

virus bug in program code By pixeldreams.eu Royalty-free stock illustration ID: 85711637 

The Department of Homeland Security is seeking public comment on how to structure information collection activities related to its new vulnerability disclosure program.

In a draft notice set to be published in the Federal Register Aug. 28, DHS and the Office of Management and Budget ask for feedback from private industry on how best to structure the form and information for companies or individuals who wish to submit information to the government about newly discovered IT vulnerabilities present on DHS information systems. The program was created pursuant to the SECURE Technologies Act passed into law last year.

The DHS form asks security researchers for information on any vulnerable hosts, details on how to reproduce the vulnerability, ideas for remediation and an assessment of potential impacts if left unaddressed.

"The form will benefit researchers as it will provide a safe and lawful way for them to practice and discover new skills while discovering the vulnerabilities," the notice reads. "Meanwhile, it will provide the same benefit to the DHS, in addition to enhanced information system security following the vulnerability mitigation."

Vulnerability disclosures conducted outside of established programs can cause conflict between organizations and the security researchers. Companies or governments are often suspicious about the motives of outside parties who poke around their systems and networks, while security researchers routinely argue that organizations prioritize their own reputation and public image over the safety and security of their customers. Bug bounty programs, however, are increasingly cropping up in government, most notably at the Department of Defense and inside military services.

In 2017, the Computer Crimes division of the Department of Justice has developed a framework for agencies to use in their own vulnerability disclosure programs, while an industry group led by former White House Senior Cybersecurity Director Ari Schwartz released a white paper earlier this year calling on governments and industry to adopt standardized, coordinated vulnerability disclosure policies to foster better cooperation with security researchers.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.