DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it.

The devil is in the details, of course, but this is a welcome development.

The DHS is seeking public feedback.

Posted on November 27, 2019 at 3:34 PM • 8 Comments

Comments

IkeNovember 28, 2019 12:08 AM

Who is naive enough to think you can report something to Government without being yourself put on spotlight after that

Version ControlNovember 28, 2019 6:35 AM

Interestingly enough, they are using git/github to gather and process feedback via 'Issues' and pull requests.

Much as I dislike DHS, at least their 'cyber.dhs.gov' people are using appropriate tech for the process.

As for the vulnerability handling, it'll all go up the 'chain of command' and if its a doozie, get given to our friends at No Such Agency to exploit, maybe.

1&1~=UmmNovember 28, 2019 7:34 AM

Hmm,

The devil is in the details, of course

Noise off stage right : A strangulated squeal as though a leak that is whistling is throttled into silence.

If anyone thinks this is not a way to "keep under wraps" things that "embarrass" those "on high", think again. Even if it does not start that way that's the way it will become. Any form of oversight gets corrupted, obstructed or defenistrated by those on high, every which way they can.

It's something recent history should have made clear to anyone who can get to read honest reporting (which is admittedly getting harder with many Western nations now clamping down on journalists).

Ismar November 29, 2019 12:16 AM

I agree with Bruce that this is a positive step with one caveat and that is the appropriate active must be taken to fix the deficiencies within a fix time period. If this cannot be done, for any reason, then the impacted software should be stopped being used.
Otherwise, people will be forgiven to think along the lines described by Clive in one of the previous posts.

Clive RobinsonNovember 29, 2019 4:03 PM

@ Ismar,

I agree with Bruce that this is a positive step with one caveat and that is the appropriate active must be taken to fix the deficiencies within a fix time period.

It's interesting to read in the document these three points,

  • The reporter cannot determine how to report
  • The reporter has no confidence the vulnerability is being fixed
  • The reporter is afraid of legal action

The first of which is a problem most have when trying to report vulnerabilities with any organisation not just Governmental.

The second historicaly was quite justified, as found in the past, a lack of publicity did not incentivise software development managment to fix vulnerabilities just keep on pushing new features, which brought even further issues.

The third again was a very real issue not so long ago and the DMCA in the US does not encorage the reporting of vulnerabilities for fear of section 1201 litigation.

The second of these is what you see as an issue and as you've rightly pointed out the third is what causes me concern (apparently my name is already on somebodies takedown list :-(

Thus the real problem is can the DHS realy get all those "non-exempt"[1] agencies and departments to come clean and fix vulnarabilities in their systems...

I guess we are going to have to wait and see, but I'm doubtful.

[1] If you look in the overview page you will spot the "National Security" card already being played. Because if you think about it something that effects even just a couple of users is an unwanted vulnerability, and claiming "national security" covers all maner of sins from the public eye.

Eric JohnsonDecember 2, 2019 6:59 PM

In response to all of the skeptical replies on this page, I keep thinking back to Bruce's call for Public Interest Technologists.

If we see problems with it, perhaps we should suggest changes! Looking through the report, I noticed at least a few items that I need to go back and review, to see if they're really addressed:

  • Suggesting PGP encryption for email-related submissions.

  • A self-imposed deadline, after which, if the security researcher's report is within the documented scope, the security researcher is free to publish. For example, after 180 days, if the vulnerability is not fixed, the researcher may publish awareness of the defect, but is encouraged to refrain from identifying details. After 210 days, the researcher is free to disclose all details. If an agency wishes to prevent a researcher from publishing a defect, then they must explicitly request no disclosure, but cannot prevent the researcher from publishing that a vulnerability was reported, and when.

  • If the vulnerability is found to be a result of previously unknown defect / unfixed defect in a third party component, the agency will either let the researcher know this - so that the researcher can themselves report the vulnerability and get credit - or coordinate with the third party to get the defect fixed in a desired timeline.


In any case, here's an opportunity to "re-code" our government's processes, so we should step up as technologists and contribute!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.