Over 90 percent of cabinet-level agencies have now published a vulnerability-disclosure policy (VDP) in compliance with a September mandate from the Cybersecurity and Infrastructure Security Agency (CISA).
The CISA binding operational directive (BOD) required federal agencies to implement programs that would give vulnerability reporters clear guidelines for submitting bugs found in government systems, by March 1. On Friday, a CISA spokesperson said that with the March deadline now passed, the majority of Federal Civilian Executive Branch agencies - including over 90 percent of cabinet-level agencies - have published a VDP in compliance with the mandate.
“We continue to work with agencies to develop to assist them in strengthening or establishing effective vulnerability disclosure practices, including through holding multiple workshops and one-on-one outreach,” said the CISA spokesperson.
The BOD outlined broad VDP requirements for agencies who have developed policies, from the U.S. International Trade Commission to the Social Security Administration, including the need for detailed descriptions of which systems are in scope, the types of testing that are allowed and how vulnerability reports can be submitted. It also mandated that organizations implement VDPs with clear wording around which systems are in-scope, as well as assurances around good-faith security research. VDPs must also clearly identify the mechanism through which researchers can report flaws to agencies, and provide “timely” feedback on vulnerabilities reported.
Katie Moussouris, founder and CEO of Luta Security, said that she’s excited by the progress behind the directive. However, Moussouris remains concerned that agencies are not set up to address the many challenges beyond the initial publication of their VDPs - such as keeping up with an influx of vulnerability reports.
“The concern for me is at a national security level and a resource level,” said Moussouris, who spearheaded the development of Microsoft’s first bug bounty program and helped the Department of Defense develop its Hack the Pentagon bug bounty contest. “One of the key misunderstandings about setting up a VDP is that the first step is to set a scope and the rules of engagement. And that’s not the first step at all. It misses all the preparation.”
The State Department’s VDP, for instance, lists all of the public state department assets in scope, said Moussouris. An entity that lacks the proper resources could struggle with keeping up with the sheer breadth of these in-scope assets - for example, if a new vulnerability was discovered in a popular open-source module deployed across all assets, the department may be left scrambling with vulnerability reports for every single one of those instances, she said.
“One of the key misunderstandings about setting up a VDP is that the first step is to set a scope and the rules of engagement. And that’s not the first step at all. It misses all the preparation.”
Overall, the lack of funding, resources and an increasing number of other security issues cropping up - such as the SolarWinds supply-chain attack or the Microsoft Exchange ProxyLogon flaws - could overwhelm already resource-deprived agencies, she said.
“I’m still incredibly concerned about resources being overstretched in the federal government and causing a problem down the line in handling vulnerability reports, but more importantly it’s pulling resources in multiple directions," said Moussouris.
Despite these challenges, the increased use of VDPs by government agencies - and organizations overall - is encouraging for the security community as it signals the potential for a better relationship between security researchers and vendors.
“While there are still tensions at times, vulnerability disclosure is much less contentious than it was in the past,” said Brian Gorenc, senior director of vulnerability research and head of the Zero Day Initiative at Trend Micro. “Most vendors have evolved to see independent researchers as a valuable resource rather than an opponent.”
Moving forward, the scope of agencies’ VDPs must increase by at least one internet-accessible system or service for every 90 days, until two years when all systems should be in scope, according to the BOD.
In addition, after the publication of their VDPs, agencies must meet a variety of reporting requirements and metrics, including divulging to CISA any reports of newly discovered flaws or misconfigurations found on agency systems, which use commercial software or services that affect other parties in the government. Agencies also must report various metrics via a quarterly reporting cycle, such as the number of flaw disclosure reports, number of vulnerability reports that are valid and in scope and the number of vulnerabilities older than 90 days from the receipt of the report.
“Through BOD 20-01, CISA and our federal partners have enhanced the resiliency of the government’s online services by encouraging meaningful collaboration between federal agencies and the public,” the CISA spokesperson said.