Threatpost Op-Ed is a regular feature where experts contribute essays and commentary on what’s happening in security and privacy. Today’s contributor is Katie Moussouris @k8em0.
Today marks an exciting development in the often monotonous rehashing of vulnerability disclosure. The ISO standard that began about 11 years ago with the emotionally loaded title “Responsible Vulnerability Disclosure,” and was finally published in early 2014 as ISO/IEC 29147 Vulnerability disclosure, is now available for download at no cost.
One of the key criticisms of the ISO standard was that vendors who wanted to follow it had to pay for it. In fact, the lack of public free availability of that standard was one of the reasons that the U.S. Department of Commerce launched a multistakeholder process under NTIA to increase collaboration between security researchers and organizations in vulnerability disclosure.
Now, for the first time, vendors can follow an internationally recognized guide, albeit in ISO-speak, on how to receive vulnerability reports from people or organizations, how to distribute advisory information on the impact of the issue, and how to mitigate or fix it.
With 94 percent of Forbes Global 2000 companies lacking in any public mechanism to report vulnerabilities to them, the availability of the ISO standard at no cost is key in driving awareness and adoption in one of the most important security practices of any organization or government.
Recognizing the power of working cooperatively with the hacker community has gained a huge amount of traction in the past few years, including the increasing number of bug bounty programs where helpful hackers can get paid for discovering and reporting vulnerabilities. From the first bug bounties offered by Netscape in the mid-1990s to Google’s launch of their bug bounties in 2010, to the first Microsoft bug bounties that I launched back in 2013, to hundreds of other bug bounty or vulnerability disclosure programs cropping up at an increasing rate, the global community of hackers have more and more ways to be recognized and compensated for their skills.
This win-win relationship between hackers and organizations is beginning to be adopted at non-technology companies over the past couple of exciting years. From cars to toys, hackers are gaining fame and fortune by reporting vulnerabilities to the vendors responsible for fixing them. Medical device providers concerned with patient safety are also getting clear guidance from the FDA that they need to have a mechanism to work with hackers who report bugs. With the historic first bug bounty program of the United States government, set to kick off its Hack the Pentagon pilot this Monday April 18 and run for 20 days, the global recognition of hackers as a precious resource to be sought out and compensated has reached an important inflection point.
We live in interesting times—our dependence on technology is growing faster than we can secure it. However, now more than ever, we have the ability to engage with a global community who have the skills and desire to use their powers for the greater good.
Let’s give organizations that are new to working with hackers a break in figuring it out and building their capabilities, and now we can point them to the ISO standard that can finally be downloaded for free. Let’s make it clear and easy for security researchers who want to help and stop threatening hackers with legal action when they are trying to get holes fixed. Let’s pay hackers for their work whenever possible.
It is time to hack the planet in order to secure it.
—
Bio: Katie Moussouris is a consultant and noted authority on vulnerability disclosure & bug bounties. Katie advises companies, lawmakers, & governments on the benefits of hacking & security research to help make the internet safer for everyone. Katie is a hacker – first hacking computers, now hacking policy & regulations.
Katie’s most recent work was in helping the US Department of Defense start the government’s first bug bounty program, called “Hack the Pentagon.” Her earlier Microsoft work encompassed industry-leading initiatives such as Microsoft’s bug bounty programs & Microsoft Vulnerability Research. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vuln disclosure (29147), vuln handling processes (30111), and secure development (27034). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market. She is a New America Foundation Fellow and Harvard Belfer Affiliate. Katie is on the CFP review board for RSA, O’Reilly Security Conference, Shakacon, and is an advisor to the Center for Democracy and Technology.