Why I Helped Draft State-Level Vulnerability Disclosure Legislation (Delaware SB 283)

The adoption of bug bounty programs, or vulnerability disclosure programs, has increased rapidly over the past few years, even extending to industries outside of the technology sector — United Airlines, GM, and the Pentagon are great examples. From enormous organizations like Google and Facebook, to small startups with a handful of employees, companies of all sizes seem to be finding significant value in operating disclosure programs to keep their software (and customers) safe.

Bugcrowd’s 2016 State of Bug Bounty report is a worthwhile read on the subject:

Bug bounty programs are moving from the realm of novelty towards becoming best practice. They provide an opportunity to level the cybersecurity playing field, strengthening the security of products as well as cultivating a mutually rewarding relationship with the security researcher community.

The report includes a lot of valuable information, including an important clarification regarding the definition of “bug bounty program.” Here’s their breakdown of the different terms/programs:

Via Bugcrowd

Being that the term “bug bounty” is often used to describe any type of disclosure program, it’s important to note that “vulnerability disclosure programs” are simply bug bounty programs minus a monetary/tangible reward.

Value of Disclosure Programs

The popularity of such programs is evident, but what value do they provide to organizations and their customers?  While disclosure programs are not a replacement for code reviews, security assessments, or internal security teams, they do offer at least two distinct advantages over traditional approaches.

First, disclosure programs leverage crowdsourcing, meaning a significantly larger number of researchers are involved in testing. This invites a variety of skill levels and diverse backgrounds into assessing the security of software when compared to traditional penetration testing teams.

Second, some disclosure programs create a higher research incentive — a security researcher may feel much more inclined to review specific functionality if he is to be rewarded for his success. On the other hand, a pen tester is usually compensated in the same way regardless of the number/quality of vulnerabilities he identifies (time allotted is also a factor).

These two points alone show why disclosure programs have gained traction; they generally improve security by involving a higher volume/variety of talent while often rousing additional motivation in the form of a reward system.

Leading by Example

Disclosure policies are a positive trend in an otherwise turbulent industry. Breaches of massive scale are reported frequently, security researchers are raided by the FBI, yet our critical software remains at risk. As private industry has mostly decided on a best practice to help address these issues, our governments at all levels remain behind — but this should change.

I think one of the expectations of government is to follow, if not lead, industry best practices (when feasible). Therefore, I believe increasing the adoption of disclosure programs in governments (at all levels) is the next logical step in improving the security of the products/services in all industries.

Starting Small

Instituting significant change in government is no easy task, though the odds can be improved by starting as local as possible. In fact, this is how some of the largest policy shifts of our time have been accomplished — both same-sex marriage and marijuana legalization have seen rapid adoption by organizing at the state-level.

With this in mind, drafting legislation that brings states closer to adopting disclosure policies seemed like a logical path toward improving information security in general.

A Bill is Born

My good friend Rob Keesler, a former candidate for State Representative and current legislative aide, has a good amount of experience on the political/legislative side of things. We have often discussed in detail some of the issues in cybersecurity and innovative ways to address them on a broader scale. As it became increasingly apparent to me that disclosure programs could be an answer, we decided to work together in drafting a bill to that end.

While our sights were initially set much higher, we decided on a more modest proposal to start: we would draft a bill requiring all software vendors contracted with the state to institute disclosure policies. The goal of such legislation is to further adoption of an industry standard while also subtly introducing government to that concept. Of course, the obvious subsequent goal would be to require disclosure policies for all State software properties; we decided against this as a first step due to the additional complexity it would bring to an idea largely unfamiliar to government.

I have included the bill as filed below, but you can find additional information about it here.

As far as we know, this legislation is the first of its kind in the country. While it does not have the ideal requirement of addressing the State’s own systems, it is a step toward realizing that goal in the future. With that, I commend Senator Cloutier’s willingness to listen to an unfamiliar idea, recognize it as a reasonable improvement, and her agreement to move it forward by offering her sponsorship.

Moving Forward

Mistakes and oversights in software design will continue to be prevalent. Security is difficult and software engineered by imperfect humans will likely have weaknesses for the foreseeable future — disclosure programs can help by confronting this fact while offering an avenue for remediation. We must accept that software vulnerabilities will be discovered while encouraging an open channel of feedback for such reports rather than ignoring them outright, or worse targeting the messengers. The security community is here to help; let us.

If you think this legislation is a step in the right direction, please contact members of the Delaware State Legislature to let them know — or even introduce something similar in another State.

Share this: Facebooktwitterlinkedin