ACLU urges gov't to establish bug bounty programs, disclosure policies
ACLU encouraged the government to follow the lead of some tech companies that have introduced “security researcher-friendly policies.”
While tech companies have increasingly introduced “researcher-friendly policies” that encourage the security community to report vulnerabilities in widely used products or services, the federal government “has yet to catch up” on this front– a reality that can, and must, change, a civil liberties group says.
In a Wednesday letter (PDF) to the U.S. Department of Commerce's Internet Policy Task Force, leaders at the American Civil Liberties Union (ACLU) – Acting Director of the Washington Legislative Office Michael Ball and Principal Technologist for the ACLU Speech, Privacy and Technology Project Chris Soghoian – offered three recommendations to help government agencies and other private companies adopt such policies that “incentivize reports from security researchers.”
According to Ball and Soghoian, the public sector, in particular, can make headway by publishing contact information for government agencies' information security teams, to make it easier for researchers to report serious flaws in software or websites. Furthermore, the pair urged the task force to issue a recommendation that government agencies publish a responsible disclosure policy, similar what major tech companies like Facebook, NetFlix and Tesla Motors, have done.
Lastly, ACLU offered that the government should reward the research community for its efforts by introducing bug bounty programs.
“Although the U.S. government is no stranger to paying for security vulnerabilities and exploits – it is reportedly the largest player in the commercial market for vulnerabilities – these vulnerabilities are purchased in order to allow law enforcement and intelligence agencies to exploit the flaws, not to reward researchers for notifying the developers responsible for the software,” Ball and Soghoian wrote in the letter. “In spite of the billions of dollars spent annually by the U.S. government on cybersecurity, we are not aware of any U.S government agency that has established a bug bounty program intended to reward researchers who find flaws in U.S. government systems and websites. Again, we urge you to recommend ‘bug bounties' as a government-wide best practice.”
ACLU's letter comes in response to the Internet Policy Task Force's request for public comment in March (PDF) regarding the development of best practices that could “substantially improve security for organizations and consumers,” a Commerce Department notice, dated March 19, said.
The Department's Internet Policy Task Force was created in 2010 to review a number of internet-related subject matters, including privacy, cybersecurity and protection of intellectual property or online copyrighted materials.