As the popularity of vulnerability programs soar in both the public and private sectors, the Cybersecurity Unit of the Justice Department's Criminal Division has created a framework to guide organizations interested in building a formalized program.
While the framework “does not dictate the form of or objectives for vulnerability disclosure programs,” it does outline a four-step “process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act,” according to a Justice Department release. The agency advises organizations to first design a plan, deciding which network components and data should be included based on factors such as information sensitivity and safeguards like encryption that are already in place.
Developers should determine whether to restrict access to certain assets and if the program should specify vulnerabilities that may be the target of threat actors. And they should consider whether any network component under the program umbrella “implicates third-party interests and, therefore, whether they should be excluded from the program entirely or require the organization to obtain additional authorization before including them in the program,” the department said.
A second critical step: plan out how a vulnerability program will be administered, laying out how flaws should be reported. This plan should provide a mechanism for reporting, clarify how proof should be submitted and who or what department is responsible for receiving reports, and identify staffers who can answer questions with authority.
“Before launching a vulnerability disclosure program, an organization should decide how it will handle accidental, good faith violations of the vulnerability disclosure policy, as well as intentional, malicious violations,” the agency said.
Step three includes creating a disclosure policy that “accurately and unambiguously,” in easy to understand language, reflects the organization's intentions. Any policy should define the scope of the program, and explain techniques not authorized and the consequences of non-compliance.
“An organization should consider including in its vulnerability disclosure program a process for contacting a coordination center in case a vulnerability also affects others organizations' services or systems, such as a technology or software vendor's,” the Justice Department advised. “A coordination center such as United States Computer Emergency Readiness Team or CERT Coordination Center for information technology vulnerabilities or the Industrial Control System-CERT for operational technology vulnerabilities can make additional notifications to affected parties, if necessary.”
Finally, when an organization implements a vulnerability disclosure program, it should ensure that its policies are available and accessible to a wide audience – displayed on its website and advertised in mailing lists and press releases.
