New Zealand’s Government Communications Security Bureau (GCSB) has advised government agencies to introduce vulnerability disclosure policies (VDPs) that allow members of the public to report potential software vulnerabilities or other security problems.
Each agency will be responsible for creating its own policy, based on the sensitivity of the information it holds, the security measures already in place, and its ability to segment its network or otherwise segregate sensitive information. Vulnerabilities should be patched, mitigated, or managed within 90 days.
Researchers can report vulnerabilities on a ‘no blame’ basis, without fear of repercussion or penalty, if the disclosure policy is followed, and no illegal activity is undertaken. Unfortunately, though, there won’t be any bounties on offer, and agencies are expected to place limits on web site, system, or application probing.
VDP aligns expectations and creates safe harbor for folks who have information or want to help but are otherwise chilled from doing so because of the legal ambiguity and risk.
New Zealand is just the latest nation to start mandating VDPs for government agencies, with the US last year issuing Binding Operational Directive 20-01, which requires federal civilian agencies to develop and publish VDPs for their internet-accessible systems and services.