- CISA drafts directive to create a vulnerability disclosure policy for government websites and apps
- Agency seeks to centralize the effort via a standard vulnerability disclosure platform service next spring
- Cybersecurity veteran Katie Moussouris warns that the success of the directive largely hinges on triage and response
The Cybersecurity and Infrastructure Security Agency (CISA) has announced plans to launch a contact center – akin to the 911 emergency number – for reporting cybersecurity issues affecting government web portals and apps.
The initiative, essentially a full-fledged vulnerability disclosure program, seeks to explain to those who find flaws in an agency’s digital infrastructure “where to send a report, what types of testing are authorized for which systems, and what communication to expect in response.”
CISA uses phishing as an example of how malicious actors could exploit weaknesses in government websites to steal user credentials. It links to the common weakness enumeration (CWE) page detailing URL Redirection to untrusted sites as a vector facilitating phishing attacks.
“An open redirect – which can be used to give off-site malicious content the appearance of legitimacy – may not be on par with a fire, yet serious vulnerabilities in internet systems cause real-world, negative impacts every day,” CISA notes.
“In many instances, a trained eye can spot critical deficiencies and yet have no one to report it to. It shouldn’t be hard to tell the government of potential cybersecurity issues — but it will be unless we’re intentional about making it easier,” the agency says.
The draft binding operational directive of the initiative is dubbed BOD 20-01. CISA calls it part of its “renewed commitment to making vulnerability disclosure to the civilian executive branch as easy conceptually as dialing 911.”
“That concept hinges on an understanding that 911 is distributed, and the center your call is routed to is dependent on physical geography. We’re aiming similarly,” says the agency, which operates under the Department of Homeland Security.
CISA aims to centralize the effort, or at least part of it, via a standard vulnerability disclosure platform service next spring.
“We expect this will ease operations at agencies, diminish their reporting burden under this directive, and enhance discoverability for vulnerability reporters,” it says.
Katie Moussouris, a pioneer in vulnerability disclosure and a key figure in creating the US Department of Defense’s first bug bounty program for hackers, offered her take on the initiative – as reported by UK technology news outlet The Register.
While she applauds the move, Moussouris feels the feds are biting off more than they can chew.
“You can’t just throw a point of contact up to solicit vulnerability reports from the public with no process behind it and expect good security as a result,” she wrote.
The success of the directive largely rests on the ability of agencies and departments to implement successful triage and response, Moussouris explained.
“It is imperative that these agencies and departments put in place the tools that they will need to manage responsive programs before launching their respective vulnerability disclosure programs,” said the veteran researcher.