Cybersecurity has been a growing concern in the U.S. since the time tensions between the former and China have escalated. In such a scenario, CISA has acknowledged that this form of virtual security is for the “public good” and thus stands strongest when the “good faith” security researchers and various governmental organizations collaborate in this fight. However, the basis of this can only be laid on the strong foundation of a formal policy that helps finding and reporting of vulnerabilities in a legally authorized manner. Thus, to ease this process for the researchers, CISA recommends vulnerability disclosure policies (VDP) to be defined across governmental agencies.
What is Vulnerability Disclosure Policy?
Currently, most governmental agencies lack a formal mechanism to receive information from security researchers or white-hat hackers about potential security vulnerabilities on their systems. In the draft directive issued by CISA, it clearly states, “Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.” The vulnerability disclosure policy changes this. It makes agencies publish policies with detailed descriptions of which systems are in scope, the types of testing that are allowed, and how security researchers can submit vulnerability reports. These policies also cover all internet-accessible systems or services in government agencies – including systems that were not intentionally made internet-accessible.
The VDP also forces all agencies to maintain a tracking mechanism for all vulnerability lifecycles. There would be complete transparency of which phase the vulnerability is in and what measures are being taken to plug it.
The Bug Bounty Consideration
As per the memo sent from the White House, a coordinated vulnerability disclosure (CVD) consists of two components, first VDP and second bug bounty. However, the Office of Management and Budget (OMB) defines the latter as an optional resource. It says, “Federal agencies can leverage a bug bounty as an incentive focused tool to identify vulnerabilities. This type of program, although not required, should be considered in the greater context of an agency’s enterprise risk management program. Federal agencies are encouraged to consider the use of bug bounty programs.”
The recommendations in the directives issued are clear, but it will be interesting to see the timeline for its complete implementation as this is a coordinated framework and involves all federal and governmental agencies.