The New Zealand government imposes a bug reporting process on federal agencies


Emma Woollacott Feb 14, 2022 at 1:42 PM UTC

Updated: Feb 15, 2022 08:24 UTC

Researchers can report vulnerabilities on a “no-blame” basis

The New Zealand Government Communications Security Bureau (GCSB) has advised government agencies to introduce Vulnerability Disclosure Policies (VDP).

In its latest security handbook, the GCSB said agencies should establish a process that would allow members of the public to report potential software vulnerabilities or other security issues.

Each agency will be responsible for creating its own policy, based on the sensitivity of the information it holds, the security measures already in place, and its ability to segment its network or segregate sensitive information. Vulnerabilities must be patched, mitigated or managed within 90 days.

Keep up to date with the latest bug bounty related news and analysis

“The GCSB has included the requirement for a vulnerability disclosure policy in the New Zealand Information Security Handbook to make it clear that public service agencies are expected to make it easy for people to tell them about vulnerabilities. they see,” a GCSB spokesperson said. The daily sip.

“Each agency is responsible for its own policies, and for handling and triaging reported vulnerabilities, as it is best placed to understand its IT environment and any dependencies it may have with managed service providers or software vendors. software.”

Researchers can report vulnerabilities on a “non-blame” basis, without fear of retaliation or punishment, as long as the disclosure policy is followed and no illegal activity is undertaken. Unfortunately, there will be no bounties offered, and agencies are expected to place limits on researching websites, systems, or applications.

safe port

“Historically, most legal frameworks around the world still fail to recognize the difference between a hacker operating in good faith and a cybercriminal or malicious attacker,” said Casey Ellis, Founder, CTO and President of the bug bounty platform. Bugcrowd. The daily sip.

“VDP aligns expectations and creates a safe harbor for people who have information or want to help, but are otherwise deterred from doing so due to legal ambiguity and risk.”

New Zealand is only the latest country to begin mandating VDPs for government agencies, with the United States issuing Binding Operational Directive 20-01 last year, which requires federal civilian agencies to develop and publish VDPs for their systems and services accessible on the Internet.

“Other countries have started to implement similar mandates, such as the UK’s Product Safety and Telecommunications Infrastructure (PSTI) Bill, which requires manufacturers, importers and distributors to meet minimum security requirements for all connectable products available to consumers, including having a VDP,” Christopher Dickens, security engineer at bug bounty platform HackerOne, said. The daily sip.

“Other governments will certainly follow, and once the VDPs are mandated, everyone from governments to businesses will.”

YOU MIGHT ALSO LIKE Google Project Zero hails dramatic acceleration in security bug fixes


Comments are closed.