Department of Justice Promotes Vulnerability Disclosure Framework

The U.S. Department of Justice has something new to help organizations combat cybercrime -- a formal framework to chronicle and report system vulnerabilities, ranging from bugs to training and everything in-between. The ultimate idea is to improve detection of security issues on the network beforehand.

It’s been crafted by the Cybersecurity Unit Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice and it’s called A Framework for a Vulnerability Disclosure Program for Online Systems.

It’s guidance, the feds said.

What’s a vulnerability? According to the DOJ’s cybercrime unit, it’s weakness within software that can be used by a hacker to “modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.”

Simply put, it’s a software flaw that can extend to tangential issues such as poor security practices, risky password management, misconfigured systems and inadequate training.

Here’s what the feds are thinking: A good number of organizations are commissioning vulnerability reports but mostly on an ad hoc basis. In other words, there’s no formality or constants to them. On the other hand, some organizations are adhering to tenets set by published policies for acceptable reporting of security vulnerabilities offered to stakeholders and the public.

In some ways, then, vulnerability disclosure is a mish-mosh. The feds want to fix that by outlining a “process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.”

Because it’s the DOJ we’re talking about, that last part, of course, is the key thing - compliance with the law, as well it should be.

Four Step to Success?

The framework offers four steps to establish a formal vulnerability disclosure program. Here are the macros from the very detailed document:

Step 1: Design the program: Decide whether to include every component on the network or subsets, how sensitive stored information is to be treated and similar issues.

Step 2: Plan for how to administer the program: Determine how vulnerabilities will be reported: Assign a point of contact to receive the reports, such as an incident response team, a security operations center, or another unit overseen by the CIO or CSO.

Step 3: Draft a vulnerability disclosure policy that "accurately and unambiguously" expresses the organization’s rules: Use “plain English” to describe authorized and unauthorized conduct. Explain the consequences of complying (and not complying) with the policy.

Step 4: Implement the program: Make the policy easily accessible and widely available. Urge everyone involved in vulnerability disclosure to use the organization’s formal program.

As for you, read the document -- it’s informative and meticulously outlined step-by-step.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.