Federal executive branch agencies are officially on the clock and now have six months to develop and publish a vulnerability disclosure policy after the Cybersecurity and Infrastructure Security Agency (CISA) published the final version of a binding operational directive (BOD) requiring VDPs.
The new directive is the result of a long process that included input from researchers, academics, and other private-sector experts, a first for this kind of directive. BOD 20-01 spells out exactly what the agencies’ policies must include and how the agencies will be required to work with vulnerability reporters. While the directive provides a detailed timeline for when agencies must hit specific milestones--VDPs must be published by March 1, 2021--and includes guidance on how to work with researchers and how to track metrics associated with bug reports and remediation, it does not give agencies any direction on how to do the prep work needed to be ready for the influx of reports that will happen once these policies are public. For many organizations, that step can be the most difficult and painful one in the entire process, and an organization that is not properly prepared may find itself buried with vulnerability reports that it does not have the capacity or capability to handle.
“There’s no provision whatsoever to assess your capabilities before you publish your policy, Would you advertise a 911 service if you not only didn’t have any operators standing by to take the calls, but no firefighters and no hydrants? No, you wouldn’t. But that’s what this is,” said Katie Moussouris, CEO and founder of Luta Security, a firm that specializes in helping organizations create and sustain VDPs.
Moussouris led the development of Microsoft’s first bug bounty program and helped the Department of Defense create its Hack the Pentagon bug bounty contest, which later expanded to other parts of the department. While she’s encouraged by the general idea and direction of the directive, she’s concerned that federal agencies will not be properly prepared to deal successfully with a high volume of vulnerability reports if they do not lay the proper groundwork. In fact, the first entry in the directive’s FAQ section contemplates this possibility: “My agency has published a security contact but we don’t yet have a VDP. What should we do with the reports we receive?”
“That’s completely backward. I’m seriously concerned. Bug bounties have captured the hearts and minds of our government. But running a bug bounty program or a VDP has nothing to do with true security maturity. Just because you have a mechanism to hear from people now doesn’t mean you’re ready to deal with them,” she said.
“It may just mean you’re hearing about more security problems. The problem is you’re conflating a VDP with security maturity. You have to do a maturity assessment, find process gaps and address those first.”
The directive requires that VDPs have to specify which systems are in scope, how to report a vulnerability, and a statement making it clear that bug reports can be anonymous. And perhaps most importantly for researchers, each policy must include a “commitment to not recommend or pursue legal action against anyone for security research activities that the agency concludes represents a good faith effort to follow the policy, and deem that activity authorized.”
"There’s no truth to the idea that you can build this process in parallel while you’re developing a VDP. It’s not achievable."
That requirement is vital given that some software companies and site owners have shown a propensity for suing or threatening to sue researchers who discover vulnerabilities in their products or sites, even when the researchers report them privately to the company.
“It warms my hacker heart to see that there’s official government writing saying that it’s no longer acceptable for federal agencies to close their ears to vulnerability reports and that researchers are your friends,” Moussouris said.
The first milestone in the directive is that every agency must have a security contact for each .gov domain it owns by Oct. 2. The agencies then have until March 1 to create, refine, and publish their VDPs. From then on, the scope of the VDP must increase by at least one new Internet-accessible system every 90 days for two years, at which point all such systems have to be in scope. While some federal agencies have been using private bug bounty platforms to handle vulnerability reports, any agency starting from scratch will have an uphill climb to develop a policy while also creating internal processes and gathering resources to handle the vulnerability reports.
“An agency is going to have limited people, processes, and technology to deal with this. It’s all coming from a finite pool. It’s an isolated thing in the larger area of security. This could take away resources from higher priority things. I would not want an election authority that is facing nation-state actors dealing with this now. This is not the time,” Moussouris said.
"There’s no truth to the idea that you can build this process in parallel while you’re developing a VDP. It’s not achievable. You have to build it to be efficient and sustainable.”