NTIA Set To Convene Multistakeholder Process on Vulnerability Disclosures Best Practices
The NTIA-led multistakeholder process to create a set of common principles and best practices for security vulnerability information disclosures is to convene Sept. 29, NTIA said Friday in a planned Federal Register notice. The NTIA-led multistakeholder process, originally announced in July (see 1507090053), is one of several cybersecurity-related multistakeholder processes the Department of Commerce’s Internet Policy Task Force is seeking to convene (see 1504090049). The Sept. 29 multistakeholder meeting is to run 9 a.m.-3 p.m. PDT at the University of California-Berkeley School of Law.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The vulnerability disclosure issue has been controversial among cybersecurity stakeholders because industry stakeholders have been concerned that public disclosures draw the attention of hackers, but NTIA wants “to promote collaboration, rather than antipathy, between the researcher and the vendor,” said Deputy Assistant Secretary Angela Simpson during a press call. A growing number of industries must tackle the vulnerability disclosure issue as dependency on software-laden products grows, making it important that multistakeholder participants create a “high-level principles for successful collaboration,” Simpson told reporters. “The community holds the pen.”
NTIA officials told reporters they hope a wide range of stakeholders will participate in the process, though several cybersecurity stakeholders that originally expressed interest in how NTIA could tackle cybersecurity topics told us they're still evaluating whether they'll be involved in the vulnerability disclosures discussion. The Computer & Communications Industry Association is interested in the vulnerability disclosures issue but is evaluating whether it makes sense to participate in the NTIA process if it focuses on technical issues rather than public policy, said Public Policy and Regulatory Counsel Bijan Madhani. Access, a digital rights organization, is also evaluating its potential role in the NTIA process, said U.S. Policy Manager Amie Stepanovich. The Internet Security Alliance doesn’t plan to participate but will evaluate other future NTIA cybersecurity processes, said President Larry Clinton.
The cybersecurity community has already done some work to “promote better collaboration,” including “offering ‘bug bounty’ programs that provide rewards to researchers who share vulnerability information,” NTIA said in the planned Federal Register notice. The International Organization for Standardization is also developing a “formal standard for vendors on how to manage incoming vulnerability information,” NTIA said in the notice. NTIA’s vulnerability disclosures work is “meant to complement these ongoing developments, as well as existing standards and practices developed by other organizations,” the agency said. The NTIA work is unlikely to look at federal policy on addressing accidental disclosure or how an NTIA-endorsed set of best practices on vulnerability disclosure would affect Computer Fraud & Abuse Act prosecutions, an NTIA official told reporters.