Vulnerability disclosure programs mandated across government

The federal government has mandated vulnerability disclosure programs (VDPs) to give security researchers a front door for reporting bugs they discover in digital services to agencies.

The Attorney-General’s Department updated advice to agencies late last month following “feedback from industry about the value of government entities establishing a VDP”, bringing Australia into line with the United States.

VDPs allow security researchers and other members of the public to easily report potential bugs and security vulnerabilities to allow software owners to apply patches before a vulnerability can be exploited.

Vulnerability disclosure programs to become commonplace

The need for a formalised reporting process came to the fore during the early days of the pandemic, when developers attempted to report issues with the COVIDSafe contact tracing app without success.

Issues again emerged late last year with the arrival of COVID-19 digital vaccine certificates, which developers and cryptography experts initially described as “woefully insecure” and “very easy” to forge.

At that time, the government encouraged responsible disclosure through the Information Security Manual, with security researchers asked to contact the Australian Cyber Security Centre in instances where they had been unable to contact a specific agency.

A spokesperson from the Attorney-General’s Department said the “new requirement requires entities to have a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities”.

It was introduced following industry feedback during a consultation process last year to strengthen Australia cyber security posture including through a mandatory code of practice for security consumer-grade IoT devices.

By “providing security researchers and members of the public with an established mechanism to report potential security vulnerabilities in a responsible and coordinated manner”, agencies can expect to “improve the security of their products and services”, the spokesperson added.

It is unclear if any agencies have introduced VDPs since the arrival of the mandate. The Australian Taxation Office, Department of Health and the Australian Bureau of Statistics already have established vulnerability disclosure policies.

Such a mandate has been in place in the US since September 2020, when the Cybersecurity and Infrastructure Security Agency (CISA) gave all US federal agencies three months to publish and implement a VDP.

The requirement that agencies adopt VDPs comes six months after the Digital Transformation Agency said there were no plans to introduce a government-wide VDP, stressing that individual agencies are responsible for testing and test approaches for their digital solutions.

Ahead of the election in May, Labor’s then Shadow Assistant Minister for Cyber Security and now Assistant Minister for Foreign Affairs Tim Watts said “there are potentially significant gains” to be had from VDPs and bug bounty schemes.

“I…want to find ways to better normalise the involvement of the cyber security community outside of government in the Commonwealth’s cyber security mission,” he said in February 2022.

“Everyone’s a winner when Commonwealth agencies implement VDPs and we should see more of it across government.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories