OMB has issued for comment a draft policy to set government-wide standards for digital vulnerability disclosure programs, saying that “when implemented effectively, these programs enable organizations to improve the security of federal information systems using supplemental information approaches.”
“One particularly difficult aspect of the risk management challenge is the identification and management of vulnerabilities in large and complicated federal networks. These vulnerability identification and management challenges are further exacerbated by the federal government’s shortage of information technology and cybersecurity personnel,” it says.
Many agencies have responded by implementing programs such as providing security researchers and the public at large with a way to report security vulnerabilities they uncover, making a distinction between acceptable and unacceptable means of discovering those vulnerabilities—so-called good faith security research.
Also, some agencies have used “bug bounty” programs that offer a financial incentive for discovering vulnerabilities within certain parameters—although that is less common for reasons including the cost and the administrative burden.
The draft guidance would set requirements for such programs including mechanisms for reporting vulnerabilities, feedback from agencies to those who make such disclosures, and more.
Comments can be made through December 29 at https://policy.cio.gov.