Further Government Action Needed on Vulnerability Disclosures, Experts Say
The federal government needs to be more transparent on its discovery of software vulnerabilities and more frequently disclose vulnerabilities, security experts said Monday during a Congressional Internet Caucus Advisory Committee event. DOJ's standoff with Apple over an attempt to force the company to help the FBI unlock an iPhone 5c (see 1602170068 and 1603290059) raised new questions about government use of vulnerabilities and vulnerability disclosure standards, said Rapid7 Public Policy Director Harley Geiger.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Government and private sector firms both ultimately have a responsibility to be transparent about discovered vulnerabilities "because the ultimate goal is to have a secure system," Geiger said. The government "should be doing whatever we collectively decide" on disclosing known vulnerabilities, while the private sector typically considers a more complex set of factors when deciding whether to disclose, said Brookings Institution fellow Susan Hennessey. Tech sector stakeholders exhibit an "almost religious fervor" in favor of disclosing vulnerabilities to parties that can fix the problem, said Mozilla Senior Policy Manager Heather West.
West and others noted the success of “bug bounty” programs in the private sector as a successful way of encouraging vulnerability disclosures within the private sector. West said Mozilla's Secure Open Source Fund pays not only for disclosures but also for help to remediate identified vulnerabilities. Bounty programs “provide valuable incentives” for disclosure, said Electronic Frontier Foundation General Counsel Kurt Opsahl. These programs shouldn't be the only method for encouraging disclosures because some firms don't have the resources to make such programs effective, Geiger said.
Congress also can aid in encouraging vulnerability disclosures, particularly by amending laws that may inhibit security research like the Digital Millennium Copyright Act, Geiger said. “We have a major cybersecurity problem in this country,” he said: Researchers are the ones who “are going to help solve it.” Congress also can aid disclosures by enacting legislation that would include a “presumption of disclosures” absent extenuating circumstances, West said. She noted the role NTIA is playing in encouraging vulnerability disclosures via its ongoing facilitation of multistakeholder work on disclosure best practices.