The Department of Homeland Security plans to issue a ‘binding operational directive’ that will require each and every agency to quickly develop and publish a vulnerability disclosure policy (VDP).
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive, BOD 20-01, on Thursday, which when finalized, will require most agencies in the executive branch to publish a VDP -- a policy and procedures for receiving and responding to bug reports from the public.
The rationale for the directive is fairly simple, even if developing a VDP isn't: “When things are easier to to do, more people will do them. Reporting vulnerabilities shouldn’t be hard,” said CISA.
CISA says most agencies lack a formal mechanism to receive reports from external security researchers, which can create delays or discourage the public from reporting potential security flaws in government websites, thus leaving them exposed for attackers to exploit.
“This directive requires each agency to develop and publish a vulnerability disclosure policy (VDP), and maintain supporting handling procedures,” the draft directive from CISA director Christopher Krebs states.
A key item in CISA’s do’s and don’ts list is that bug reports are focussed on "defense, not offense".
“Submissions are for defensive purposes; they don’t go to the Vulnerabilities Equities Process," the process the US government uses to determine whether to keep zero-day bugs secret so it can be exploited for intelligence, law enforcement, or national security purposes.
CISA outlines three key frustrations bug reporters face when reporting issues to the government: Federal agencies don’t always make it clear where a bug report should be sent; the reporter is not confident the bug is being fixed; and many security researchers fear the government may sue them.
“By putting a vulnerability disclosure policy in place, agencies make it easier for the public to know where to send a report, what types of testing are authorized for which systems, and what communication to expect. When agencies integrate vulnerability reporting into their existing cybersecurity risk management activities, they can weigh and fix a wider array of concerns,” writes Krebs.
The agency notes that this directive doesn’t require agencies to establish bug bounty programs. The Pentagon has experimented with bug bounties for the past three years and last month kicked off its ninth bug bounty with HackerOne.
CISA has outlined an ambitious timetable once directive has been formally issued. It promises to monitor compliance and expects agencies to provide data about their respective programs, such as the number of vulnerability disclosure reports, how many reports were valid, and currently open bug reports.
Within 15 days, agencies will be expected to have enabled the receipt of unsolicited reports via email. Within 180 days, agencies must have published a VDP on the web, detailing which systems are in scope, the types of testing that are allowed, a description how to submit reports and a statement that reporters can submit a report anonymously.
The policy mustn’t attempt to restrict the reporter’s ability to disclosed discovered vulnerabilities to others, “with the exception of a request for a reasonable time-limited response period.” The document doesn’t state what is “reasonable”.
Also within 180 days, the VDP must include in scope “all newly launched internet-accessible systems or services.”
The directive requires agencies to increase the scope of the VDP by at least one internet-accessible system every 90 days after 270 days has passed since it was issued.
“At 2 years after the issuance of this directive, all internet-accessible systems or services must be in scope of the policy,” it states.
Because the main beneficiaries of the directive are the public, CISA is for the first time inviting the public feedback before it issues the directive. Public comments can be made on CISA’s GitHub page until midnight EST December 27.
Katie Moussouris, the CEO of LutaSecurity who established Microsoft’s VDP and wrote the international standard for vulnerability disclosure, is not impressed with CISA’s tight timelines. She’s concerned the schedule may force agencies to outsource VDP programs to third-party bug bounty platforms. These companies provide customers managed vulnerability disclosure programs separately or combined with managed bug bounty.
“Why is this a problem? Can’t they use platforms without bounties? Sure, but I’ve seen gross triage mishandling, random bug bounty hunters as contract triage personnel, & what would an adversary want more than a centralized target where most *unpatched* federal bugs can be found?,” she wrote.
Of course, Moussouris wants agencies to use LutaSecurity, which helped the UK’s National Cybersecurity Centre (NCSC) prepare for its VDP, which it launched in November 2018 and allows researchers to report issues through HackerOne if an agency does not have a VDP.