Security researchers and software vendors have spent decades trying to work out the process of vulnerability disclosure, with limited success. Now the federal government is joining the fray in hopes of getting the two sides to play nice.
The National Telecommunications and Information Administration, a unit of the Department of Commerce, is launching what it calls a “multistakeholder process” to address the issue of vulnerability disclosure. The effort will begin in September with an open meeting in the San Francisco area and will continue from there. The process doesn’t have any defined goals or specific parameters yet, and NTIA officials say there could be any number of different outcomes.
“The goal of this process will be to bring together security researchers, software vendors, and those interested in a more secure digital ecosystem to create common principles and best practices around the disclosure of and response to new security vulnerability information,” Angela Simpson, deputy assistant secretary for communications and information at NTIA, said in a post.
“There is widespread recognition that information technology systems – from traditional software to popular websites and cloud platforms to embedded devices – will never be completely secure. It is inevitable that vulnerabilities will be discovered, as a key aspect of security research as well as an integral part of the burgeoning security industry. The security community has begun to make significant progress to promote coordination, and this process will build on these efforts. The coordinated outcomes of this process could range from high-level principles that shape future policy and inform best practices, or participants may choose to focus on particular aspects of the disclosure question that might be addressed to meet the needs of all parties.”
The vulnerability disclosure debate is now older than some of the people participating in it, and what’s come of the years and years of discussions, arguments, and finger-pointing is mostly more of the same. One recent, positive outcome from all of this, though, is the proliferation of vendor bug bounties as well as researcher reward platforms such as Bugcrowd and HackerOne. These systems are designed to provide researchers with an incentive to report vulnerabilities privately rather than on a mailing list or web site. These efforts have been quite successful, but the disclosure debate is far from over.
Simpson said the NTIA disclosure effort is a part of a larger cyber security initiative by the Obam administration.
“The multistakeholder process on vulnerability research and disclosure we announce today is a small, but important, piece of the puzzle. Many other federal agencies, including our sister agency National Institute of Standards and Technology, have done important work to help enhance the nation’s cyber defenses. The process we announced today, which NTIA will lead in partnership with the Department’s Internet Policy Task Force, is meant to complement – not duplicate – that work by focusing on ways to work with industry and other stakeholders to improve security and user trust in the digital economy while also promoting U.S. innovation,” she said.