DHS, OMB prep bug bounty rollout
The agencies are seeking public comment on how to structure information collection activities related to its new vulnerability disclosure program.
The Department of Homeland Security is seeking public comment on how to structure information collection activities related to its new vulnerability disclosure program.
In a draft notice set to be published in the Federal Register Aug. 28, DHS and the Office of Management and Budget ask for feedback from private industry on how best to structure the form and information for companies or individuals who wish to submit information to the government about newly discovered IT vulnerabilities present on DHS information systems. The program was created pursuant to the SECURE Technologies Act passed into law last year.
The DHS form asks security researchers for information on any vulnerable hosts, details on how to reproduce the vulnerability, ideas for remediation and an assessment of potential impacts if left unaddressed.
"The form will benefit researchers as it will provide a safe and lawful way for them to practice and discover new skills while discovering the vulnerabilities," the notice reads. "Meanwhile, it will provide the same benefit to the DHS, in addition to enhanced information system security following the vulnerability mitigation."
Vulnerability disclosures conducted outside of established programs can cause conflict between organizations and the security researchers. Companies or governments are often suspicious about the motives of outside parties who poke around their systems and networks, while security researchers routinely argue that organizations prioritize their own reputation and public image over the safety and security of their customers. Bug bounty programs, however, are increasingly cropping up in government, most notably at the Department of Defense and inside military services.
In 2017, the Computer Crimes division of the Department of Justice has developed a framework for agencies to use in their own vulnerability disclosure programs, while an industry group led by former White House Senior Cybersecurity Director Ari Schwartz released a white paper earlier this year calling on governments and industry to adopt standardized, coordinated vulnerability disclosure policies to foster better cooperation with security researchers.