More on the Vulnerabilities Equities Process
The Open Technology Institute of the New America Foundation has released a policy paper on the vulnerabilities equities process: “Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications.”
Their policy recommendations:
- Minimize participation in the vulnerability black market.
- Establish strong, clear procedures for disclosure when it discovers and acquires vulnerability.
- Establish rules for government hacking.
- Support bug bounty programs.
- Reform the DMCA and CFAA so they encourage responsible vulnerability disclosure.
It’s a good document, and worth reading.