These days, organizations (including the U.S. Air Force) have been turning to third parties to help hunt for security weaknesses (under “bug bounty” programs) in company software and applications. In July 2017, the Department of Justice released guidance for a structured program (entitled, A Framework for a Vulnerability Disclosure Program for Online Systems) designed to assist organizations in their efforts to identify and properly disclose those weaknesses. This four-part framework (located here) appears to be part of the DOJ’s efforts to combat civil and criminal violations under the Computer Fraud and Abuse Act (CFAA), brought on in part by the rise of “bug bounty” programs. Without clear protocols, boundaries and contractual language in place, these bug bounty programs pose a great risk, as they could inadvertently compromise sensitive information or disrupt services.
According to the DOJ’s framework, a vulnerability disclosure program should “clearly describe authorized vulnerability disclosure and discovery conduct.” Policies should define at minimum, (i) what methods a third party security firm may use to uncover an organization’s vulnerabilities and (ii) how the third party may deliver its findings to the organization. A brief summary of some of the DOJ’s key recommendations is provided below.
A Closer Look at the DOJ Four Step Framework
Step 1: Design the vulnerability disclosure program
- Determine what systems and/or data will be subject to the program.
- Determine how to handle data that implicate interests of those outside the organization.
- Determine what techniques are off-limits in the hunt for security vulnerabilities.
- Specify what types of security vulnerabilities should be targeted.
Step 2: Plan for administering the vulnerability disclosure program
- Define reporting protocols to address the discovery of a security vulnerability.
- Define a point-of-contact for receipt of vulnerability disclosure reports.
- Decide how to handle accidental, good faith violations as well as those that are intentional and malicious.
Step 3: Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent
- Define what activities are authorized and unauthorized using plain, easily understood terms.
- Define the scope of the systems and/or data that are subject to the vulnerability disclosure program as specifically as possible.
- Define protocols to address restricted and sensitive data that require special handling.
- Specify the consequences for violating vulnerability disclosure program policies.
- Consider defining a process for notifying affected entities outside the organization
IV) Step 4: Implement the vulnerability disclosure program
- Make the program policies easily accessible and widely available internally and externally.
- Encourage participants who are conducting vulnerability disclosure activities to follow the organization’s vulnerability disclosure program and policies.
The DOJ has made clear that the provided framework is intended as a means of assistance, not authority. That said, organizations inviting external sources to run security checks against their systems are strongly advised to follow the DOJ’s four-step framework to develop a formal vulnerability disclosure program to avoid potential harm to the organization. Some framework considerations themselves carry legal implications that require careful consideration and possible legal counsel prior to implementation.