ACLU To Commerce Dept: Make it Easy for Researchers to Report Security Flaws
Today, the ACLU submitted a formal comment to the Internet Policy Task Force recommending several ways that companies and government agencies can encourage security researchers to disclose security flaws that make their websites and other computer systems vulnerable.
Far too many of the cybersecurity legislative proposals discussed in Washington (and opposed by the ACLU) would hurt civil liberties by expanding the government’s surveillance powers. Improving the process through which computer security vulnerabilities are disclosed to companies and government agencies, on the other hand, will increase cybersecurity while protecting privacy – a win-win.
All computer systems have programming flaws and design mistakes that can be exploited, and no system will ever be one hundred percent secure. An unfortunate reality is that these flaws can be discovered and exploited by criminals and foreign governments’ intelligence services and militaries, who will not responsibly disclose the flaws, but rather, will exploit them for their own gain. But sometimes security researchers who have discovered security flaws and have pointed them out to those responsible have been met with legal threats or in some cases, lawsuits. These legal risks chill research and can discourage researchers from notifying the companies or organizations responsible for the vulnerable code.
Government agencies have much to gain from working with, rather than against, the computer security research community. Although many tech companies have taken steps to make the vulnerability disclosure process easier, the federal government has not. In our comment, we recommend that government agencies adopt the following three practices in order to incentivize security researchers to report any flaws that they discover:
- Publish contact information for agencies’ information security teams;
- establish responsible disclosure policies, through which the agency promises neither to sue nor report the researchers to law enforcement authorities, as long as the individuals who discovered the flaw give the agency time to fix the flaw before releasing information about it to the public; and
- implement bounty programs, which create a monetary incentive for discovering and reporting a flaw or vulnerability.
We believe that it’s time for the federal government to catch up with Silicon Valley by embracing security-researcher-friendly policies. Our formal comment encourages the federal government to make it as easy as possible for researchers to notify the organization responsible for the flawed code. Our common-sense recommended policies, if adopted, will improve federal government cybersecurity and create a favorable environment that encourages and rewards researchers who are trying to do the right thing.