Stakeholders Report Some Progress on NTIA Vulnerability Disclosure Best Practices Work
Cybersecurity stakeholders said they are closer to deciding what deliverables will result from NTIA's multistakeholder process on vulnerability research disclosure. But leaders cautioned Friday that any recommendations aren't likely to include one-size-fits-all solutions. A working group on increasing adoption and awareness of vulnerability disclosure best practices appeared to be the furthest along in gathering information to aid its recommendations, based on presentations at the meeting. A working group focusing on vulnerability disclosures that affect public safety only recently rebooted its information gathering process amid concerns from the group's stakeholders about publicity about their disclosure practices. Working groups on vulnerability disclosure incentives and multi-vendor disclosure best practices indicated their stakeholders were divided on philosophical issues underpinning potential recommendations.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
NTIA Director-Cybersecurity Initiatives Allan Friedman proposed harmonizing the multistakeholder process' end products around promoting awareness and adoption of vulnerability disclosure best practices, with additional “special approaches” focused on other working groups' work on multi-vendor and public safety disclosures. Promoting adoption is “the linchpin” to the NTIA multistakeholder process work, said HackerOne Chief Policy Officer Katie Moussouris. “The more we can roll up under that effort, the more harmonized we will be.” If stakeholders still “aren't adopting” disclosure best practices, the multistakeholder process will have been a wasted opportunity, Moussouris said. Stakeholders urged NTIA in September to focus its multistakeholder process on the adoption issues (see 1509290061).
The Adoption and Awareness Working Group believes it will be able to release a report this summer that will include recommendations for driving adoption of vulnerability disclosure best practices, said working group co-Chairwoman Jen Ellis, Rapid7 vice president-community and public affairs. The working group recently circulated a survey to security researchers and operators to gather information and challenge the group's assumptions about possible barriers to disclosure best practices adoption, Ellis said. The surveys seek feedback on stakeholders' experiences with vulnerability disclosures and expectations about barriers, she said. The group plans to analyze data from survey responses in June and will use that data in its report, Ellis said. “We want to understand how we're going to make a difference” in driving adoption through the report, she said.
The Economics and Incentives Working Group received substantial feedback from its stakeholders that showed a “division” between incentives that benefit vendors and security researchers, said co-Chairman Gianpaolo Russo, Indiana University Center for Applied Cybersecurity Research follow. The stakeholder ecosystem “is very diverse” and needs to “find common ground” on possible incentives, he said. Vendors are resisting “any one solution” to the incentives issue because each vendor typically benefits from a unique set of incentives, Russo said. There hasn't been much feedback on incentives for consumers, but that set of stakeholders remains important to consider, he said.
The Multi-Vendor Disclosure Working Group believes its report will focus on a list of scenarios for how multi-vendor disclosures may occur and possible “variations” that would affect the outcome of such disclosures, said working group co-Chairman Art Manion, Carnegie Mellon University Computer Emergency Response Team Coordination Center Vulnerability Analysis team lead. The working group “agreed to disagree” on developing a single timeline for vendor disclosures, amid disagreements on what a reasonable timeline would be, he said. Online vendors tend to have a quicker disclosure turnaround timeline than traditional software vendors and other industries, Manion said.