Security News > 2020 > September > Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on Wednesday ordered US federal agencies outside the defense and intelligence communities to develop a working vulnerability disclosure policy.
"An open redirect - which can be used to give off-site malicious content the appearance of legitimacy - may not be on par with a fire, yet serious vulnerabilities in internet systems cause real-world, negative impacts every day," he said.
CISA's Binding Operational Directive 20-01 aspires to simplify the reporting process.
Within 180 days, agencies must publish a vulnerability disclosure policy that describes which of its IT systems are within the policy's scope, the type of testing permitted, how to file a vulnerability report, and commitments to avoid recommending legal action for good faith reporting and to set expectations for a response.
"You can't just throw a point of contact up to solicit vulnerability reports from the public with no process behind it and expect good security as a result," she wrote in a blog post.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/09/03/us_bug_bounty/