The Cybersecurity and Infrastructure Security Agency (CISA) issued a draft binding operational directive, BOD 20-01, which will require federal civilian executive branch agencies to publish a vulnerability disclosure policy (VDP).

"A VDP allows people who have “seen something” to “say something” to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems," CISA says. In preparing the directive, CISA worked with several agencies that have VDPs and made an effort to align the directive with federal guidanceinternational standard and good practices.

"But this directive is slightly different from others we’ve issued, where agencies are directed to take an action and then CISA verifies the action has taken place. Here, while agencies must maintain VDPs and are the beneficiaries of vulnerability reports, it’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation," says CISA. They are also seeking public feedback before issuance. 

CISA notes the VDP initiative:

  • Lights a fire. Each agency must publish a VDP and maintain handling procedures, and the directive outlines a set of required elements for both. 
  • Draws a line in the sand. Systems “born” after publication of a VDP must be included in scope of an agency’s VDP.
  • Expands the circle. Until everything is included, at least one new system or service must be added every 90 days to the scope of an agency’s VDP.
  • Starts the clock. There’s an upper bound – 2 years from issuance, in this draft – for when all internet-accessible systems must be in scope.
  • All are welcome. Anyone that finds a problem must be able to report it to an agency. 
  • No “catch and keep”. An agency may only request a reasonably time-limited restriction against outside disclosure to comply with their VDP.
  • Defense, not offense. Submissions are for defensive purposes; they don’t go to the Vulnerabilities Equities Process.  

What doesn’t it do?

  • Does not establish a ”federal bug bounty”. A bug bounty is a program that pays researchers for valid and impactful findings. Nothing in the directive prevents individual agencies from establishing a bug bounty of their own, though.
  • Does not create a “national VDP”. The directive is an executive branch policy instruction that requires federal civilian executive branch agencies to have a VDP. The difference might appear slight but they’re very different things. 

CISA wants to hear from people with personal or institutional expertise in vulnerability disclosure and from organizations that have a VDP and manage coordinated vulnerability disclosures. They welcome any feedback and perspective on all these documents, as well as any comments on the approach. The public comment will take place on GitHub and last until December 27th, 11:59pm EST.