CISA Pushing U.S. Agencies to Adopt Vulnerability Disclosure Policies

cisa bug bounty directive

A newly proposed CISA directive would require all U.S. agencies to develop and implement vulnerability disclosure processes for their internet connected systems.

The U.S. government’s cybersecurity agency has issued a draft directive mandating all agencies to develop vulnerability disclosure policies, which would give ethical hackers clear guidelines for submitting bugs found in government systems.

Security experts hope that the directive will light a fire under the feet of federal agencies to create more transparency around the ins and outs of vulnerability disclosure, as well as increase trust overall between the government and security communities.

The directive, which is a compulsory order for federal departments and agencies, is in a draft phase and remains open for public comment until Dec. 27, according to its issuer, the Cybersecurity and Infrastructure Security Agency (CISA).

Currently, most federal agencies lack a formal mechanism to receive information from white-hat hackers about potential security vulnerabilities on their systems, CISA said in the draft directive, released last week: “Many agencies have no defined strategy for handling reports about such issues shared by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith are authorized.”

The directive would aim to change this by requiring agencies to publish policies with detailed descriptions of which systems are in scope, the types of testing that are allowed and how white hat hackers can submit vulnerability reports. The policies would cover all internet-accessible systems or services in government agencies – including systems that were not intentionally made internet-accessible, according to CISA.

In addition, agencies must create a commitment to not pursue legal action against anyone acting in good faith – a common issue that has occurred in previous vulnerability disclosure and bug-bounty programs.

The directive also touches on various other logistics of vulnerability disclosure reports, including its handling procedures (how reports are tracked and evaluated), as well as reporting requirements and metrics. Agencies must also create a capability to receive unsolicited reports about potential security vulnerabilities, CISA said.

Security experts, such as Katie Moussouris, founder of Luta Security, are applauding the measure. Moussouris, who has worked with the U.S. government previously to flesh out bug-bounty programs like Hack the Pentagon, said that the directive has several positive points – including encouraging agencies to accept submissions from white hat hackers worldwide and banning non-disclosure rules for submitters.

That said, Moussouris said that she worried that the quick timelines established by the directive would leave agencies struggling — Agencies would need to publish vulnerability disclosure policies within 180 days of the directive’s issuance, and create a capability to receive unsolicited reports about potential security vulnerabilities within 15 days of its issuance, for instance.

Moussouris also said she’s concerned this might cause some agencies to rush into an outsourced third-party bug-bounty programs, without thinking through consequences such as how to keep up with submitted bugs, for instance.

“Yes, I know it *says* this isn’t to force bug bounties, but if you look at the dates for complying, the urgency language used in pushing the concept that has been documented & implemented for decades as vuln disclosure, most orgs will only have time for outsourcing to platforms,” she said on Twitter.

The draft directive comes as the U.S. government pushes for further security measures across various agencies. A government order in May for instance required agencies to remediate critical vulnerabilities discovered on their systems in 15 days – cutting in half the previous deadline of 30 days.

The directive for its part would also allow agencies to operate a bug-bounty program in addition to the vulnerability disclosure policy. Vulnerability disclosure – and discussion around how it should be handled by the U.S. government–  has long been discussed, particularly with the inception of government-sponsored bug bounty programs such as the Hack the Pentagon, Hack the DTS and Hack the Air Force.

“Public vulnerability disclosure should be a basic practice for every company, not just government agencies,” Chris Morales, head of security analytics at Vectra, told Threatpost. “Vulnerabilities in software are frequently discovered by the security community. If an organization doesn’t provide a method for the security research community to disclose the vulnerability and a follow up process for addressing those vulnerabilities it doesn’t mean they go away. Those vulnerabilities will persist until someone finds them useful and they lead to a breach.”


Suggested articles