Uncle Sam opens arms to friendly hackers – Naked Security


All you bug hunters out there are about to get a nice Christmas gift – the US federal government finally wants to hear from you. Unhelpful websites and cybersecurity departments will soon be a thing of the past, thanks to a new missive from the Cybersecurity and Infrastructure Agency (CISA).

The Agency, which is part of the Department of Homeland Security, issued a surprising tweet on 27 November announcing that it would force federal agencies to be welcoming and responsive to cybersecurity bug reports from the general public:

Binding Operational Directive 20-01 would finally give ‘helpful hackers’ a sense of legitimacy when reporting bugs to federal government agencies in the US, solving some problems that CISA admits to pretty freely in the document. It says:

Choosing to disclose a vulnerability can be an exercise in frustration for the reporter when an agency has not defined a vulnerability disclosure policy – the effect being that those who would help ensure the public’s safety are turned away.

The directive acknowledges that researchers often don’t know how to report a bug when agencies don’t include an authorized disclosure channel in the form of a webpage or email address. They shouldn’t have to search out security employees’ personal contact information, it points out.

Communication after a bug report is just as important, CISA says. An inadequate response to a bug report, or no response at all, may prompt a researcher to report the bug elsewhere outside the agency’s control.

Perhaps the most egregious mistake that agencies make is threatening legal action. The directive admits that the federal government has a reputation for being heavy-handed and defensive in response to bug reports. Threatening language warning against unauthorized use can also choke off a useful stream of bug reports, it says.

The report draws a distinction between a vulnerability reporting program and a paid bug bounty initiative. While often useful, the latter isn’t mandatory, it says.