DHS questions vulnerability disclosure program
The Department of Homeland Security plans to collect information on security vulnerabilities in its information systems and wants to know if its methods are sound.
Section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act requires DHS to establish a Vulnerability Disclosure Program. Undiscovered vulnerabilities could be exploited by nation-states or hackers to steal personally identifiable information or manipulate data.
People, organizations and companies will be able to submit vulnerabilities they find in the department’s systems to DHS in a “safe and lawful way” while honing their skills, according to a notice in the Federal Register.
“In addition, without the ability to collect information on newly discovered security vulnerabilities in DHS information systems, the DHS will rely solely on the internal security personnel and or discovery through post occurrence of such a breach on security controls,” reads the notice.
The program will use a form allowing submitters to share vulnerable hosts, information needed to reproduce the bug, suggestions on how to mitigate the problem, and the predicted impact if nothing is done.
Zero-day vulnerabilities, those unknown to DHS, are of particular concern.
DHS anticipated about 3,000 responses each taking three hours to ingest for a 9,000-hour burden. The agency wants to know if potential program participants think collection is even necessary, the estimated burden is accurate, the information sought can be expanded, and automated or electronic submission is needed.
Comments are being accepted until Oct. 28, and the form will ultimately be posted on DHS’s website in addition to those of its subsidiary agencies like the Transportation Security Administration and Immigration and Customs Enforcement.
Congress continues to consider the creation of a DHS bug bounty program, expected to cost $44 million, rewarding independent researchers who find software and hardware vulnerabilities with payouts.