NIST SP 800–53 R5 adds Vulnerability Disclosure Programs to Federal Security and Privacy Controls | @Bugcrowd
What are the changes?
Released on September 23, 2020 , Revision 5 contains a number of improvements, broadens its applicability to better include both security and privacy concepts, and for the first time, introduces vulnerability disclosure programs (VDPs) as a recommended control under the vulnerability management and scanning section:
“RA-5 (11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. Discussion: The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.” How do these changes affect vulnerability disclosure programs and the good-faith hacker community?
NIST’s definition of vulnerability disclosure programs (VDPs) calls out critical distinguishing features of a well-run VDP:
- Publicly discoverable channels and policies
- Explicit authorization of good-faith security research
- Absence of non-disclosure as a condition of authorization of testing in public programs, and
- Timeline-driven Coordinated Vulnerability Disclosure (CVD) practices
SP 800–53 R5 goes on to explain the reasoning for the inclusion of VDPs in the guidelines:
“Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public-at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities.” “Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.”
This is a key call-out, and something many organizations have yet to realize: security research, both good-faith and potentially malicious, will occur regardless of the presence of an invitation from the owners of the subject to the research. Not inviting the output of this research as a way to identify and manage risk carries a huge opportunity cost, and attempting to ban it altogether merely drives it underground in ways that are more likely to see it surface with malice.
Therefore, it is more rational to be proactive and take the steps needed to funnel actionable information from good-faith hackers to where the risks can be actioned on and remediated.
“Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.”
While they are similar in their external mechanics, VDPs, bug bounty programs, and private bug bounty programs are not the same.
In the NIST definition, public and private bug bounty programs are optional additions to the core control recommendation: implementing a vulnerability disclosure program. By clarifying this distinction, NIST is helping its audience understand that a public bug bounty program is a subset of a vulnerability disclosure program, despite being more topical and oft-discussed.
Combined with the call-out against placing non-disclosure as a condition of authorization to conduct security research, this last section further addresses some of the existing term confusion between vulnerability disclosure programs, public bug bounty, and private crowdsourcing. It establishes vulnerability disclosure programs as a superset concept when organizations first consider how they’ll receive and act on security feedback from the outside world.
It is exciting to see the thoughtfulness NIST has put into articulating the simple truth that vulnerabilities always exist, hackers “good” and “bad” will find them, and that the smart move is to leverage this phenomenon and integrate it into a vulnerability management strategy.