Federal agencies don’t make it clear how to report security problems, and the feds aren’t good at letting people know a bug report has been received. Under new guidelines, they have until March to get their acts together.
If you’re an ethical hacker who finds a bug in a federal government system, how should you report it? According to the Cybersecurity and Infrastructure Security Agency (CISA), it’s no easy task, so it’s calling on federal agencies to develop formal guidelines for bug reporting.
“Choosing to disclose a vulnerability can be frustrating for the reporter when an agency has not defined a vulnerability disclosure policy [VDP]—the effect being that those who would help protect the public are turned away,” CISA says.
Federal agencies don’t make it clear how to report security problems, and the feds aren’t good at letting people know a bug report has been received. “If the task seems too onerous, they may decide that reporting is not worth their time or effort,” CISA argues. Or they could go public and put government systems at risk.
To avoid this, CISA is calling on agencies to make some immediate tweaks and then prep a long-term response plan. It’s been gathering feedback on how best to do this since last November, and is now ready for federal agencies to jump in.
In the next 30 days, agencies need to add a security contact for each .gov domain they have registered, if they don’t already have one, and update the “Organization” field to clarify the unit within that agency that uses the domain.
By March 2021, agencies must publish a vulnerability disclosure policy and house it at [agency].gov/vulnerability-disclosure-policy. Federal systems are often complex behemoths, so CISA will allow agencies to ramp up, adding systems that are covered by their VDPs over time. Ideally, all of them will be covered by September 2022.
“This directive is different from others we’ve issued, which have tended to be more technical – technological – in nature. At its core, [it’s] about people and how they work together,” Bryan Ware, Assistant Director for Cybersecurity at CISA, said in a statement. “That might seem like odd fodder for a cybersecurity directive, but it’s not. Cybersecurity is really more about people than it is about computers, and understanding the human element is key to defending today and securing tomorrow.”
- Apple Delays iOS 14 Privacy Change Meant to Rein in Targeted Ads
- Nonprofit Behind Tor Browser Asks for Corporate Sponsors to Help It Stay Afloat
- Windows Computers Were Targets of 83% of All Malware Attacks in Q1 2020
- Russian Targeted Tesla in Employee Malware Scheme, Elon Musk Confirms
- More in Security
- Kaspersky Security Cloud
- Kaspersky Total Security
- Kaspersky Internet Security
- Keeper Password Manager & Digital Vault