Do you need a vulnerability disclosure program? The feds say yes

The FTC and DOJ are pushing companies to provide a means for good-faith security researchers to report bugs and put effective processes in place to act on those reports.

The US Federal Trade Commission (FTC) and Department of Justice (DOJ) are signaling that in the future organizations must have some form of vulnerability disclosure program (VDP) that lets good-faith security researchers report bugs. Most organizations lack any kind of VDP at all. A recent HackerOne study found that 94 percent of the Forbes Global 2000 do not have any way for researchers to report security issues.

A VDP offers a secure channel for researchers to report security issues and includes some process for triaging and mitigating those bugs in an appropriate manner. A VDP has become an industry best practice, and regulators and law enforcement are paying attention. The FTC, in public testimony in June to the Consumer Product Safety Commission, signaled that failure to have at least a rudimentary VDP could be a violation of the FTC Act:

"In many cases, the FTC has alleged, among other things, that the failure to maintain an adequate process for receiving and addressing security vulnerability reports from security researchers and academics is an unreasonable practice, in violation of Section 5 of the FTC Act."

The DOJ is making similar noises. Its 2017 "A Framework for a Vulnerability Disclosure Program for Online Systems" offers a non-binding framework (but a heavy-handed hint) of what a VDP should look like. Today's framework is likely to be tomorrow's law.

DOJ's framework comes from the Criminal Division's Cybersecurity Unit and focuses on helping both researchers and organizations avoid unnecessary CFAA (Computer Fraud and Abuse Act) misunderstandings. "The framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct," the document's authors write, "thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act."

Industry best practices have now been encoded in the rough drafts that will at some point become law. What does your organization need to do to be compliant?

A VDP is not a bug bounty

The FTC's comments and the DOJ framework avoid specifying a particular model for a VDP, such as ISO 29147 and 30111, and are clearly meant to enable innovation and experimentation with what works—and what doesn't—for different organizations.

It is also clear that the FTC and DOJ are in no way pushing organizations towards bug bounties. "No one is saying you should pay hackers," Amit Elazari, a doctoral law candidate at UC Berkeley who studies legal issues surrounding VDP and bug bounties, says, "but you should at least have a channel of communication."

Many companies confuse a VDP and a bug bounty, bug bounty pioneer Katie Moussouris told CSO earlier this year. "It's dangerous when people think that bug bounties are the same as vulnerability disclosure," she said at the time.

A bug bounty offers financial incentives for hackers to look for security flaws. However, companies should not engage in a bug bounty until they've done in-house testing and, more importantly, built up their in-house process to handle reported vulnerabilities. "When you do a VDP, the DOJ suggests it's not just the policy, it's the capacity to triage, to address reports and fix the issues reported," Elazari says.

Dealing with reported bugs is much harder than simply receiving good-faith security reports. Opening the flood gates of bug reports without any way to address them could open your organization to legal liability.

You have to do something with those bug reports

It's not enough to simply have a channel open to receive security issues from good-faith researchers. You actually have to do something with those bugs. Failure to triage and address reported issues could be perceived as negligence.

"'Adequate process' is not just a 'security@' email but a more comprehensive program," Elazari says. "Once you have the report you can't just turn a blind eye. You will need to patch. You have seen the information; it's becoming a higher level of negligence."

The question then becomes how to demonstrate due diligence when challenged, in either a court of law or of public opinion. Compliance with the DOJ framework would be a highly defensible choice, Elazari suggests. "If you get to a stage that you need to actually prove what is an 'adequate process,' following the DOJ guidelines (even if they are just a recommendation) makes sense," she says.

The future is VDP

The time is coming soon when some form of vulnerability disclosure program will be mandatory for all organizations. Critical security issues at one company increasingly affect all of society in our interconnected world. Putting your house in order and leaving out a welcome mat for good-faith security researchers who want to help is now industry best practice. Regulators like the FTC can, and will, enforce this new norm.

"We're going to see wide adoption of VDPs," Elazari says.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.