The Department of Homeland Security (DHS), Cybersecurity and Infrastructure Agency (CISA), released a draft binding operational directive titled "Develop and Publish a Vulnerability Disclosure Policy" that would require almost all federal agencies to develop and publish a set of methods and procedures by which third-party, non-governmental entities could report potential cybersecurity vulnerabilities present in those agencies' systems. CISA intends for these policies to better encourage members of the public both to investigate government systems for vulnerabilities and to report any vulnerabilities that a member of the public discovers. The operational directive, borrowing from a definition provided by the National Institute of Standards and Technology, defines a vulnerability as a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source."
Upon release of the final policy, federal agencies will have 180 days to publish their vulnerability disclosure policy online. Such a policy must contain, among other provisions, the following information:
- Which of the agency's technology systems are covered by this policy;
- Each agency must have one system covered initially, add at least one new system within the following 90 days, and have all their systems covered within two years;
- What sort of vulnerability testing is or is not allowed on those systems;
- A clear and detailed description about how members of the public can submit discovered vulnerabilities and what sort of information should be submitted, including a provision specifying that members of the public may submit information anonymously;
- A clear commitment from the federal agency not to bring legal recourse against a member of the public who brings forth a security vulnerability in accordance with this policy;
- A statement about how the member of the public will receive notification from the federal agency to confirm they have received the submission and to explain what steps the agency is taking in response to address the vulnerability; and
- Well-defined handling procedures for the federal agency to follow in terms of tracking, evaluating, and responding to submissions from the public.
The disclosure policy must not require the submission of personally identifiable information, limit testing to specific groups or subsets within the general public, or attempt to limit the ability of a member of the public to disclose a discovered vulnerability to other parties. Moreover, CISA specifies that this directive does not require or intend for federal agencies to develop "bug bounty" programs, which are financial rewards offered to individuals who discover vulnerabilities, but that federal agencies can establish bug bounty programs separately if they desire. CISA does allow for sub-units within a federal agency to establish their own vulnerability disclosure policies at the agency's discretion if so doing would allow for better response to reported vulnerabilities.
CISA offers three reasons why federal agencies should have vulnerability disclosure policies. First, the policy makes it clear how in the first place to formally report a discovered vulnerability to a federal agency. Second, the policy would provide assurance to the reporting member of the public that the federal agency would actually attempt to address the vulnerability. And third, the policy would allay any fears of legal recourse from the federal government against a member of the public reporting a discovered vulnerability.