[BreachExchange] Do you need a vulnerability disclosure program? The feds say yes

[Destry Winant]

https://www.csoonline.com/article/3294418/vulnerabilities/do-you-need-a-vulnerability-disclosure-program-the-feds-say-yes.html#tk.rss_news

The US Federal Trade Commission (FTC) and Department of Justice (DOJ)
are signaling that in the future organizations must have some form of
vulnerability disclosure program (VDP) that lets good-faith security
researchers report bugs. Most organizations lack any kind of VDP at
all. A recent HackerOne study found that 94 percent of the Forbes
Global 2000 do not have any way for researchers to report security
issues.

A VDP offers a secure channel for researchers to report security
issues and includes some process for triaging and mitigating those
bugs in an appropriate manner. A VDP has become an industry best
practice, and regulators and law enforcement are paying attention. The
FTC, in public testimony in June to the Consumer Product Safety
Commission, signaled that failure to have at least a rudimentary VDP
could be a violation of the FTC Act:

The DOJ is making similar noises. Its 2017 "A Framework for a
Vulnerability Disclosure Program for Online Systems" offers a
non-binding framework (but a heavy-handed hint) of what a VDP should
look like. Today's framework is likely to be tomorrow's law.

DOJ's framework comes from the Criminal Division's Cybersecurity Unit
and focuses on helping both researchers and organizations avoid
unnecessary CFAA (Computer Fraud and Abuse Act) misunderstandings.
"The framework outlines a process for designing a vulnerability
disclosure program that will clearly describe authorized vulnerability
disclosure and discovery conduct," the document's authors write,
"thereby substantially reducing the likelihood that such described
activities will result in a civil or criminal violation of law under
the Computer Fraud and Abuse Act."

Industry best practices have now been encoded in the rough drafts that
will at some point become law. What does your organization need to do
to be compliant?

A VDP is not a bug bounty

The FTC's comments and the DOJ framework avoid specifying a particular
model for a VDP, such as ISO 29147 and 30111, and are clearly meant to
enable innovation and experimentation with what works—and what
doesn't—for different organizations.

It is also clear that the FTC and DOJ are in no way pushing
organizations towards bug bounties. "No one is saying you should pay
hackers," Amit Elazari, a doctoral law candidate at UC Berkeley who
studies legal issues surrounding VDP and bug bounties, says, "but you
should at least have a channel of communication."

Many companies confuse a VDP and a bug bounty, bug bounty pioneer
Katie Moussouris told CSO earlier this year. "It's dangerous when
people think that bug bounties are the same as vulnerability
disclosure," she said at the time.

A bug bounty offers financial incentives for hackers to look for
security flaws. However, companies should not engage in a bug bounty
until they've done in-house testing and, more importantly, built up
their in-house process to handle reported vulnerabilities. "When you
do a VDP, the DOJ suggests it's not just the policy, it's the capacity
to triage, to address reports and fix the issues reported," Elazari
says.

Dealing with reported bugs is much harder than simply receiving
good-faith security reports. Opening the flood gates of bug reports
without any way to address them could open your organization to legal
liability.

You have to do something with those bug reports

It's not enough to simply have a channel open to receive security
issues from good-faith researchers. You actually have to do something
with those bugs. Failure to triage and address reported issues could
be perceived as negligence.

"'Adequate process' is not just a 'security@' email but a more
comprehensive program," Elazari says. "Once you have the report you
can't just turn a blind eye. You will need to patch. You have seen the
information; it's becoming a higher level of negligence."

The question then becomes how to demonstrate due diligence when
challenged, in either a court of law or of public opinion. Compliance
with the DOJ framework would be a highly defensible choice, Elazari
suggests. "If you get to a stage that you need to actually prove what
is an 'adequate process,' following the DOJ guidelines (even if they
are just a recommendation) makes sense," she says.

The future is VDP

The time is coming soon when some form of vulnerability disclosure
program will be mandatory for all organizations. Critical security
issues at one company increasingly affect all of society in our
interconnected world. Putting your house in order and leaving out a
welcome mat for good-faith security researchers who want to help is
now industry best practice. Regulators like the FTC can, and will,
enforce this new norm.

"We're going to see wide adoption of VDPs," Elazari says.