The Justice Department wants to help you run a vulnerability disclosure program

The Justice Department quietly released guidelines last week to help interested parties design their own software vulnerability disclosure programs in a manner that avoids legal issues traditionally caused when a hacker remotely accesses a computer system without prior consent.

These vulnerability disclosure programs, typically known as bug bounties, are typically created to allow participating parties to receive confidential information from independent researchers about software and hardware bugs that are affecting a company’s own systems or products. But the practice can sometimes run up against legal complications tied to the Computer Fraud and Abuse Act, or CFAA, which has been applied in different court cases in a variety of conflicting ways.

Critics of CFAA have said the law is often vague and outdated, stunting researchers’ ability to find vulnerabilities without running afoul of the law.

In short, the guidance underlines an effort by the federal government to apparently quell concerns held by some companies and researchers that hope to participate in such programs.

The eight-page government-produced advisory, which provides general tips and a list of factors to consider when launching such a program, is the first of its kind. The release underscores a broader belief by the federal government that, if properly managed, programs of this sort can offer a cost-effective way for organizations to improve their security posture. In addition, a well organized program will clarify what is and isn’t legal from an independent researchers’ perspective.

Screenshot of report summary/intro

Mårten Mickos, CEO of vulnerability coordination and bug bounty platform company HackerOne, described the Justice Department’s guidance as “useful,” but said that it was missing a plan for “organizing remediation and bug fixing” and also “reporting of results to key stakeholders and decision-makers.”

“Working with hackers is the most efficient way for a corporation to improve application security because it allows security teams to focus on fixing vulnerabilities rather than bug hunting,” Mickos said.

Leonard Bailey, special counsel for national security with the Justice Department’s Computer Crime and Intellectual Property Section, announced the publication of the guidance Friday while speaking at the DEF CON hacking conference in Las Vegas.

“Some organizations are informally soliciting vulnerability reports without creating structured vulnerability disclosure programs … The Criminal Division’s Cybersecurity Unit has prepared this framework to assist organizations interested in instituting a formal vulnerability disclosure program,” the guidance reads. “[Our] framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.”

The full guidance is now available on the Justice Department’s website.