DHS to Require Federal Agencies to Set Vulnerability Disclosure Policies
Under the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft document that mandates vulnerability disclosure and outlines strategies for handling weaknesses. The CISA raised concerns that most civilian agencies’ lack of disclosure policies leads to confusion, and with the implementation of a requires vulnerability disclosure policy (VDP) citizens could have faith that every vulnerability is disclosed. The CISA also stated that a VDP creates a ‘see something, say something’ program for researchers, welcoming good-faith security research on specific systems. This is the latest step taken by the US government to ensure weaknesses in internet-connected systems are plugged. Since 2016, every branch of the military has had a bug bounty challenge, kicked off by the 2016 Hack the Pentagon challenge.
CTO of Veracode Chris Wysopal claims that without a VDP, good-faith researchers will not report information on security weaknesses. Companies that have no VDP do not reap the benefits of receiving this information from cooperative researchers. Over the past decade and a half, there has been a significant shift in the way vulnerability researchers are treated by the government. In 2005, federal prosecutors charged Eric McCarthy with malicious hacking after he exploited records of the University of California and disclosed the vulnerability. Therefore, many vulnerability researchers would not share their findings in fear of persecution. The draft created by CISA would require civilian agencies to create a security contact within 15 days and publish a VDP within 6 months.