The world of voluntary bug reporting took a step forwards recently thanks to a major shift in the way that the US government deals with ethical hackers.
Across the world, hackers constantly rattle the doors on everything from smartphone apps to websites. When they find a bug, the bad ones exploit it for financial gain, using it to infiltrate a system or selling it on the grey or black markets. Friendlier ones report the bug to the system'’s owner to help them fix it.
According to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), the US federal government hasn’t been gracious when presented with these voluntary reports. Some agencies ignore them, while some publish officious language on their sites threatening legal action if anyone tinkers with their systems. That isn’t helpful behaviour, it says. Now, it wants to change all that.
The Agency has published a proposed directive forcing agencies to play nicely with voluntary bug reporters. Under the draft rules, federal agencies would have to provide and monitor clear channels (an email or web form) through which people could report security flaws. They would also have to respond and keep researchers updated on efforts to fix the bugs.
The rules go beyond basic courtesy, though. Agencies could no longer publish threatening language discouraging bug hunters. Neither could they forbid hackers from publishing the bugs after waiting for an acceptable period.
One of the most important provisions in the directive is that it explicitly states agencies cannot submit the bugs to the US Vulnerability Equities Program (VEP). This is an initiative that decides whether to publish a bug so that everyone can fix it, or to keep it secret for use against a government’s enemies later. Bug hunters might be OK sharing knowledge of a security flaw to keep everyone’s systems safer, but they might have ethical problems with stoking the intelligence services’ arsenal.
Hats off to Uncle Sam for publishing a thoughtful proposal to bring its bug handling system into the 21st century. It’s a little behind, though; the UK’s National Cyber Security Centre (NCSC) created a pilot bug bounty scheme in 2017 and launched a vulnerability reporting channel of its own last November. It uses bug bounty company HackerOne as its main point of contact.
The deadline for commenting on the proposed CISA directive is December 27 2019. It’s taking comments via GitHub.
