Government wants better cyber info-sharing with industry

Editor's Note: This story originally appeared on

The National Telecommunications and Information Administration is working to finalize consensus best practices to close the gap between government and industry interests when it comes to disclosing technical vulnerabilities that could impact public safety.

NTIA, a component of the Department of Commerce, doesn't regulate industry. Instead it convenes groups of stakeholders with an eye to forge consensus on best practices. At a Nov. 7 meeting, three working groups presented their progress in three main areas: safety and disclosure, multi-vendor disclosure, as well as adoption and awareness.

The first working group submitted a short, sample template for how safety-critical industries should address writing policy for vulnerability disclosures.

Cyber Statecraft Initiative Director Josh Corman said the template is aimed at manufacturers who may not be used to working with security researchers, and "it happens to be pretty useful for people in a non-safety-critical industry."

The sample includes which products the policy covers, a legal posture clearly stipulating fair vulnerability disclosures, how to report a discovered vulnerability and the company's procedure after receiving the report.

The legal posture bit is important, said Cyber Statecraft Initiative Deputy Director Beau Woods, because in most cases, vulnerability research is conducted in good faith, so the parties involved "should almost never" be fearful of legal recourse.

The second working group submitted a draft guidance for how stakeholders can collaboratively handle product vulnerabilities.

The guidance includes definitions and various real-world use cases of vulnerability reporting "that have been observed to happen in nature in this field," said Art Manion, a senior member of the vulnerability analysis team in the CERT program at Carnegie Mellon University.

Manion said that while following all of the steps of the document will not prevent all security concerns, quick and collaborative action without fear of legal recourse will produce the best results.

The third working group conducted an online survey of security researchers and vendors to compile recommendations on how to drive greater awareness and adoption of disclosure practices.

Jen Ellis, vice-president of community and public affairs at the internet security company Rapid7, acknowledged the survey was an imperfect measurement, but said the most surprising findings were researchers' responses that bug bounty programs will not "open the floodgates" to scrutinize vulnerabilities, and that far more respondents desired communication in addressing the vulnerabilities than a monetary reward.

While exemptions protecting security researchers exist, Ellis said she was "saddened, but not surprised" that concerns about legal repercussions -- against both vendors and researchers -- has stymied collaboration on vulnerability patching.

Ellis added that her working group expects to further analyze the results and send out a guidance sometime in late December or January, in hopes of finalizing a guidance by Feb. 1, 2017.

About the Author

Chase Gunter is a former FCW staff writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.