Last week, OTI joined Rapid7 and other allies in both the private sector and civil society in submitting comments to the Department of Commerce’s National Telecommunications and Information Administration in support of including vulnerability disclosure programs in the next version of the Framework for Improving Critical Infrastructure Cybersecurity. These programs, also known as “bug bounties”, provide a structured way for organizations to solicit and receive reports of security vulnerabilities in their products. They provide a framework to overcome what can be a distrustful relationship between independent security researchers and the creators and maintainers of software.
Bug bounty programs help to shape that relationship by setting out guidelines and signalling a willingness to engage on the part of the organization offering the program. This structure encourages security researchers to look at the software covered by the program and to make bug reports with confidence that they won’t be subject to legal reprisals.
They also encourage better cybersecurity practices simply through their existence, by forcing organizations to think carefully about their security posture and to set out incident response policies and practices in advance of being contacted regarding a critical vulnerability. That preparation can mark the difference between hours and days or even weeks in response time to a real threat.The comments point to many great resources for organizations curious about starting a disclosure program, and encourage the NTIA to incorporate such programs in the next revision of the Framework for Improving Critical Infrastructure Cybersecurity. We hope the NTIA and the Department of Commerce will see the wisdom in doing so.