U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021

2020-09-02 21:01

The U.S. government's cybersecurity agency is now requiring federal agencies to implement vulnerability-disclosure policies, which would give ethical hackers clear guidelines for submitting bugs found in government systems, by next March.

The new directive by the Cybersecurity and Infrastructure Security Agency aims to change this by requiring agencies to publish policies with detailed descriptions of which systems are in scope, the types of testing that are allowed and how ethical hackers can submit vulnerability reports.

The policies would cover all internet-accessible systems or services in government agencies - including systems that were not intentionally made internet-accessible, according to CISA. The directive mandates that organizations implement VDPs with clear wording around which systems are in-scope, as well as assurances around good-faith security research.

"To streamline communication and collaboration, Federal agencies shall ensure vulnerability reports are available to system owners within 48 hours of submission, and shall establish a channel for system owners to communicate with vulnerability reporters, as appropriate," according to a memorandum sent to heads of executive departments and agencies.

Within 180 days all agencies must publish and operationalize their VDP. Finally, in 240 days agencies must report "Milestones for VDP to cover all federal information systems" and CISA must begin coordinating ways to track reported bugs.

News URL

https://threatpost.com/u-s-agencies-vulnerability-disclosure-policies-march-2021/158913/

#disclosure #vulnerability