There is a only a handful of days left to weigh in on the draft directive from the Cybersecurity Infrastructure Security Agency on how federal agencies should handle vulnerabilities in their public-facing websites.
When final, CISA’s binding operational directive would require federal agencies to establish vulnerability disclosure programs that security researchers could use to report vulnerabilities in Internet-accessible systems and services. Agencies will need to develop and publish their own vulnerability disclosure policies; set up processes to receive, process, and manage vulnerability reports; and provide certain metrics to CISA quarterly through CyberScope.
Since the comment period on the draft opened in November, CISA has received several suggested improvements and clarifications, such as defining legal protections for researchers, and setting mandatory timelines on how quickly vulnerabilities get addressed. The public comment period on the draft was supposed to close at the end of December, but now has been extended to Jan. 10 to give more people a chance to contribute.
“A VDP allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” Jeannette Manfra, the assistant director of cybersecurity of CISA at the time, wrote in a blog post announcing the comment period. According to Manfra, it was the first time CISA had weighed public comment on a BOD before it was issued.
Many commenters focused on legal protections for researchers as there has always been the threat of legal action to suppress security researchers. Finding a vulnerability is one thing, but reporting it can result in cease-and-desist letters or getting arrested. "It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems," Manfra wrote.
One way to protect the researchers is to encourage the agencies to involve their Office of General Counsel when developing the policy. As the VDP would likely be executed out of the agency’s CIO office, it would be safer to know that the OGC had “reviewed and concurred with any assertions made regarding pursuit of legal action,” said Karim Said, a cybersecurity professional at NASA.
Jack Cable, noted bug bounty hunter, said agencies should adopt CISA's language for granting safe legal harbor to authorized researchers and develop a process for what happens when agencies don't fix their bugs. Making it "front and center" in the draft is a good sign, but requiring agencies to use the exact language specified by CISA "minimizes the risk of agencies including language that does not offer requisite protection to researchers," Cable wrote.
Researchers frequently complain that despite reporting vulnerabilities, organizations may not fix the issues as quickly as they should. Towards that end, CISA should "plan for the case that agencies fail to adequately remediate reported vulnerabilities," Cable wrote. For many agencies, the VDP would be the first time the agency has to deal with real vulnerability reports, and not every agency will be successful in patching their systems effectively and timely. "CISA and other policy leadership should plan for when this happens and aid agencies to improve their cybersecurity processes and talent," Cable said.
While there is no specific standard on when vulnerabilities have to be made public, the industry has informally adopted 90-days to patch or provide workarounds. A footnote in the draft recomends the agencies also adopt the 90-day policy, but HackerOne founder and CTO Alex Rice thought it should be moved out of the footnote and into the main text else the recommendation could be "easily missed or ignored."
However, it should be clear that the 90-days is still a recommendation and not a requirement. International standards for VDP do not have timeframe requirements, and agencies should follow the standard, wrote Ari Schwartz, executive coordinator of the Cybersecurity Coalition. “Missing an artificial deadline may result in unmet expectations and loss of trust with vulnerability reporters, and potentially prompt premature public disclosure of un-mitigated vulnerabilities that creates additional risks of exploitation,” Schwartz wrote.
The directive should also require agencies to be transparent about remediation and not just say that a vulnerability has been remediated, Cable wrote. Lessons learned and changes going forward to prevent similar vulnerabilities would help improve the agency's security posture. "At minimum, agencies should have a mandatory retesting process where a second set of eyes confirms that a vulnerability has been remediated," Cable wrote. That may involve the researcher who originally reported the vulnerability.
Creating a VDP
CISA laid out a timeline for the agencies. Each agency must designate a security contact at the .gov registrar within 15 days of the directive and publish a vulnerability disclosure policy and a security.txt file within 180 days. The scope of the policy has to increase by at least one internet-accessible system within 270 calendar days, and every 90 days later—which gives agencies the opportunity to start the program on a small set of systems and slowly expand. All internet-accessible systems belonging to the agency must be covered by the policy two years after the BOD.