Laying the terms for partnerships with ethical hackers

With the backing of CISA, federal civilian agencies can lean on the expertise of ethical hackers as part of their security strategy — but first they need a VDP agreement.
(Getty Images)

This year, agency IT leaders were pressed to implement digital modernization projects faster than ever. However, the complexity of government systems also means that any change adds security risks.

Vulnerability disclosure policies

Read the full report.

Government IT teams constrained by limited workforce and resources can lean on the expertise of ethical hackers to identify vulnerabilities in their systems and applications. But defining the terms to facilitate that partnership is critical, according to a briefing document — “VDP Action Plan for Government Agencies,” — a guide, written by HackerOne, that lays out the steps to framing a vulnerability disclosure policy (VDP).

“Regardless of the threat, federal agencies do not have a budget or staff proportionate to their needs. And with decreased visibility and control over their expanding network, agencies’ overburdened IT teams are likely to experience compliance challenges,” says the brief.

Civilian agencies have the authority to accept vulnerability reports from third parties. That was laid out in the recent Cybersecurity and Infrastructure Security Agency’s (CISA) Binding Operational Directive 20-02. However, a VDP agreement is essential to a vulnerability management program.

“If mismanaged, publishing your VDP will result in an onslaught of reports for which you’re unprepared, an overwhelmed internal team and disgruntled security researchers — severely compromising your security strategy,” warn experts from HackerOne.

To mitigate these risks, HackerOne outlined a quick action plan that lays the foundation for a VDP as part of an agency’s security strategy. It should include:

  • Buy-in from all stakeholders — including legal, communications and IT — is key to get started.
  • Draft a “brand promise” that explains your agencies’ commitment to security and invites security researchers to submit vulnerabilities.
  • Identify which elements are fair game for a security researcher — properties, products and vulnerability types.
  • Include safe harbor language that assures security researchers that they will not be legally penalized for identifying vulnerabilities.
  • Establish a process which includes triage and remediation of vulnerabilities.

HackerOne is a FedRAMP-authorized organization that connects agencies with a network of penetration testers who find and fix critical vulnerabilities to systems and applications before they can be exploited.

This article was produced by FedScoop and CyberScoop for, and sponsored for HackerOne.

Latest Podcasts