The Department of Homeland Security in late August began seeking comments from individuals, organizations and companies on a proposed channel for these external entities to disclose security vulnerabilities they might find on the department’s information systems.
The proposed vulnerability disclosure form was published in the Aug. 28 Federal Register and is required by legislation passed by Congress last year and signed into law by President Donald Trump. The comments will be passed to the White House Office of Management and Budget, which wants to know if the vulnerability disclosure program will be useful and to make sure that its easy to respond with disclosures.
The information DHS is seeking on the form it wants the disclosures to be submitted includes vulnerable host or hosts, how to reproduce the security vulnerability, ways to remediate the vulnerability, and its potential impacts if not fixed.
DHS says the form will allow respondents “who discover vulnerabilities in the information systems of DHS to report their findings to DHS [and] give DHS first insight into newly discovered vulnerabilities, as well as zero-day vulnerabilities in order to mitigate the security issues prior to malicious actors acting on the vulnerability for malicious intent.”
DHS also says that using the form will “benefit researchers as it will provide a safe and lawful way for them to practice and discover new skills while discovering the vulnerabilities. The department will also learn from these discoveries, it says.
The vulnerability disclosure program was directed in the SECURE Technology Act (H.R. 7327), which also authorizes a separate “Bug Bounty” pilot program where DHS pays individuals, organizations and companies to hack designated information systems to discover vulnerabilities and then minimize them.
Comments on the security vulnerability disclosure form are due by Oct. 28.