Cyber group calls for coordinated vulnerability disclosure policies
A group led by a former top federal cybersecurity official is seeking to make policies that enable outside researchers to work with organizations to find and mitigate IT flaws "standard" in the public and private sectors.
A white paper released March 6 by the Cybersecurity Coalition, an industry group led by former White House Senior Cybersecurity Director Ari Schwartz, recommends that organizations and governments adopt coordinated vulnerability disclosure (CVD) frameworks.
The paper also suggests placing the Department of Homeland Security or another civilian department in charge of developing a policy framework for federal agencies, and it calls for more federal funding for resources like the Common Vulnerability and Exposures and National Vulnerability Database programs.
The Cybersecurity Coalition argues that such policies should be "a standard component" of security programs at governments and private companies and that the U.S. government should promote and encourage broader adoption at home and internationally. The group does not support government bodies acting as arbiters for the private sector, however.
CVD policies are designed to provide clarity to third parties who probe websites, software and code for flaws regarding what activities and procedures are in and out of bounds, how to communicate with the organization and how long to sit on the information before going public.
The International Organization for Standardization has a formal policy in place to govern such interactions, but companies and organizations are sometimes skeptical about the motives behind such outside research and can end up focusing on minimizing the public relations damage caused by disclosing a flaw. Meanwhile, researchers often want to work with organizations to patch systems and products before the flaws become public, but they are also wary of letting companies call the shots when it comes to deploying fixes and disclosing the issue to outside stakeholders who may be affected. As a result, security researchers have found themselves accused of being malicious hackers when attempting to notify private companies about discovered flaws.
Congress has increasingly sought to legislatively compel some agencies to implement certain forms of incentivized CVD, with bills introduced in the past two years for bug bounty programs at DHS and the Department of State. The Department of Defense has also established procurements for legal bug bounty programs at the Pentagon, the Air Force and other branches of the military.
The federal government has gradually implemented CVD and legal bug bounty policies and recommendations on a piecemeal basis over the years. Last year the National Institute of Standards and Technology incorporated the practice into its Cybersecurity Framework.