Good news for security researchers: A key guideline for cybersecurity risk management now includes vulnerability disclosure and handling processes. The National Institute of Standards and Technology (NIST) provisionally added this as a core practice in the next version of the NIST Cybersecurity Framework. Rapid7 worked with the security community to help drive this revision, and we are excited about its inclusion - there is a greater likelihood of a positive outcome for cybersecurity when organizations are prepared to receive vulnerability disclosures from external sources, such as researchers. We intend to file additional comments to NIST in support of this change.
The latest NIST Cybersecurity Framework revision includes a new core element:
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
This revision directs organizations using the NIST Framework to consider vuln handling processes when developing a cybersecurity risk management program. The inclusion of vuln handling processes in the NIST Cybersecurity Framework will help raise awareness and adoption of the practice, particularly with critical infrastructure providers and government agencies (many of whom are required to use the Framework for risk management planning).
Rapid7 and community involvement
Rapid7 has long championed coordinated vulnerability disclosure and handling processes as a key component of cybersecurity programs and as a protection for researchers. When NIST solicited feedback on its Cybersecurity Framework, we drafted comments arguing at length for inclusion of vulnerability disclosure and handling processes, and gathered signatures from more than two dozen companies, organizations, and individual researchers in support of it. [See our comments here.] We also engaged the Coalition for Cybersecurity Policy & Law, a policy advocacy group for cybersecurity companies (including us) run by Venable, which agreed to reiterate and cite to our recommendations in their own comments [pgs. 3-4]. Then Rapid7 helped lead a breakout session on the topic during the NIST Framework workshop.
Thankfully, NIST was open to this feedback and took the subject seriously. The new revision to the NIST Cybersecurity Framework closely mirrors our primary recommendation. [Compare the Framework at the bottom of pg. 49 with our comments at the top of pg. 3.]
We’re very glad that NIST agreed to incorporate vulnerability handling processes, and believe the revision will prove useful for organizations implementing the Framework, as well as security researchers. We are grateful for NIST's commitment to considering public input and for driving this issue. We also deeply appreciate the support we received from other government officials, the Venable Coalition, and the signatories to our comments. Special thanks to NTIA, Luta Security, I Am The Cavalry, and McAfee.
What the revision is and ain't
When evaluating what this change means, there are a couple things to keep in mind.
First, the NIST Cybersecurity Framework is voluntary for private sector companies – though it is mandatory for federal government agencies, as well as some state agencies. The Framework is also intended to be a flexible planning tool, not a checklist, so each organization may implement it differently. The point is, don't assume all organizations will have fully matured or consistent processes for receiving vulnerability information from researchers. But more will, and the Framework revision helps pave the way to working with organizations to incorporate effective coordinated disclosure processes.
Second, this revision is not necessarily a safe harbor or a bug bounty. As we emphasized in our comments [fn. 2] – there is no requirement that organizations who have vulnerability handling processes provide liability protection for researchers who disclose bugs. If there were, it would be much more difficult to get consensus on including the practice in the Framework. We would support a legal safe harbor, but organizations will have to decide whether it is right for them. However, even without the formal safe harbor, vulnerability handling processes can benefit researchers by providing them with an established channel for disclosure and a feedback loop. When organizations are prepared to receive and analyze vulnerabilities from external sources, there is less chance of conflict due to misunderstood intentions, ignored vulnerability disclosures, or lawyers freaking out (confession: I am a lawyer and I freak out all the time).
Next step: More comments!
This latest revision of the NIST Framework is technically still in draft form. The fact that vuln handling processes is in the draft is a good sign that it will stay, but that is not set in stone just yet. NIST is accepting public comments on all its revisions until Jan. 19th, 2018, and so we will file group comments in support of the revision. We will also likely use this next round of comments to again recommend that the Framework reference ISO/IEC 30111:2013 and ISO/IEC 29147:2014. Its current references for vuln handling processes are not as on point.
That's how a lot of policy goes: Iterative changes, heavy on process, and rarely is any issue settled forever & ever. That makes sustained engagement important, and it also makes the progress achieved in this new revision worth celebrating.