Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments. This framework provides private entities a series of steps to establish a formal program that balances the need to enhance organizations’ cybersecurity with potential legal risks associated with identifying, testing, and disclosing vulnerabilities. While the framework does not prescribe specific requirements, it does provide guidance that an organization should consider whether it is developing a new disclosure program or already has an established program. The framework also appears consistent with previous U.S. Government guidance on vulnerability disclosure — such as the policy or guidance published by the U.S. Department of Defense, General Services Administration 18F Office, and National Telecommunications & Information Administration.
In sum, the four-step framework recommends an organization consider the following:
Step 1: Design the vulnerability disclosure program.
- Whether to apply the disclosure program across its entire enterprise or specifically focus on certain portions of its network, applications, or data types.
- When choosing to include sensitive data (or systems that process or store sensitive data), an organization should “seriously weigh the risks and consequences of exposing [sensitive] information that it has a legal duty to protect and . . . consider consulting with legal counsel when making its scoping decisions.”
- Establish a program that focuses on certain types of vulnerabilities rather than all vulnerabilities — for example, a program may focus on software flaws, weak password management practices, outdated and poorly configured systems that are susceptible to exploitation, and/or inadequate security training.
- Assess whether any third-party interests may be involved (such as a cloud service provider storing the organization’s data or hosting its infrastructure) and account for those interests; otherwise, the program may lack the appropriate authorization to access the third-party’s systems and subject the organization to heightened legal risk.
Step 2: Plan for administering the vulnerability disclosure program.
- Establish a process for vulnerability reporting that includes authenticating the accuracy of the vulnerability.
- If the program includes sensitive data, limit access, processing, and retention of sensitive data by testing and reporting entities.
- Identify key points-of-contact to receive and process vulnerability reports, and “[i]dentify personnel who can authoritatively answer questions about conduct that the [program] does and does not authorize.”
- Decide how to handle “accidental, good faith violations” and “intentional, malicious violations” of the program.
Step 3: Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent.
- Describe what type of conduct is authorized and unauthorized, including, but not limited to, specific techniques, use of the organization’s data, deletion or alteration of data, and denying access to systems.
- Identify what portions of an organization’s network, applications, or data types are in scope.
- Establish program controls to protect sensitive data and systems that process or store sensitive data.
- Outline the potential consequences for complying (and not complying) with the disclosure program.
Step 4: Implementing the vulnerability disclosure program.
- Ensure an organization’s vulnerability disclosure policy is “easily accessible and widely available.” Some examples include advertising the program and prominently displaying the policy on an organization’s website.
- Consider requiring anyone who performs related activities to do so under the established program.