DHS Asks for Feedback on Vulnerability Disclosure Program

The Homeland Security Department is seeking feedback on an enterprisewide vulnerability disclosure program that will make it easier for the public to report weaknesses in the agency’s IT infrastructure. 

The program would allow the cybersecurity community to scour select Homeland Security systems for vulnerabilities and alert department officials to their findings without fear of punishment. The effort would bring the department up to speed with the Pentagon and General Services Administration’s tech office, which have both already established vulnerability disclosure policies.

Under the program, the department plans to create a form on its main website where the public can submit any security gaps they uncover, officials said in a Federal Register post, which is scheduled to go live on Wednesday. The form will ask researchers to detail the compromised system, the process for reproducing the vulnerability, strategies for remediating the weakness and the potential impact on Homeland Security if the bug remains unaddressed, according to the post.

Ultimately, the department will use that information to fix security gaps before they’re discovered by digital adversaries.

Despite the growing popularity of public cyber initiatives like bug bounties, security researchers often find themselves in a legal gray area when reporting cyber weaknesses to the government. By creating vulnerability disclosure policies, agencies can set clear guardrails on legal hacking.

“The form will benefit researchers as it will provide a safe and lawful way for them to practice and discover new skills while discovering the vulnerabilities,” officials said. “It will provide the same benefit to the DHS, in addition to enhanced information system security following the vulnerability mitigation.”

The public can submit feedback on the program for 60 days. The post doesn’t specify what systems will be in scope for security researchers.

The vulnerability disclosure program was created last year under the SECURE Technologies Act, a package of Homeland Security cyber proposals approved in the final days of the 115th Congress. Under the law, the agency must also stand up an enterprisewide bug bounty program and create an advisory group to assess risks in the government’s supply chain.