Department of Homeland Security to Establish Vulnerability Disclosure Policy

WASHINGTON – The Senate has passed H.R. 7237, the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act, clearing the bill for approval by President Trump. The House passed the bill, which was introduced by Congressman Will Hurd (R-TX), yesterday evening. The bill will require the Department of Homeland Security to develop a vulnerability disclosure policy for its information systems and authorizes a pilot bug bounty program at the Department.

“I have been pushing the Department of Homeland Security to establish a vulnerability disclosure policy for years,” said Congressman Langevin (D-RI), a senior member of the House Committee on Homeland Security and the co-founder and co-chair of the Congressional Cybersecurity Caucus. “Unfortunately – and for reasons that remain completely unclear to me – DHS has refused to embrace this practice even as it has become widespread in industry. Thanks to the advocacy of Majority Leader McCarthy and Senator Hassan, well-meaning security researchers will finally have a mechanism to report security flaws in systems run by DHS.”

A vulnerability disclosure policy gives guidelines to security researchers for what types of testing is appropriate and how to inform a system owner of any potential security vulnerabilities. Last year, the Department of Justice put out guidelines on how public and private entities can institute vulnerability disclosure programs. The guidance included recommendations for framing policies and remediation practices once bugs are discovered. Both the Department of Defense and the General Services Administration currently have vulnerability disclosure policies.

“Last year, I traveled to DEF CON with my friend Will Hurd,” continued Langevin. “By far my biggest takeaway was that people conducting security research have many motivations for finding and disclosing bugs. While many chose to do so for money or notoriety, many more are just interested in making the Internet a safer place that works as it was intended. And if we are running insecure systems, aren’t we better off having a way to learn about those flaws rather than pretending they don’t exist?”

In July, Langevin sent a letter to DHS Secretary Kirstjen Nielsen following up on his questioning at an April 26 hearing where she pledged to work with him to establish a vulnerability disclosure program. Based on a lack of response to that letter, Langevin joined Majority Leader Kevin McCarthy (R-CA), Congressman Hurd, and Congressman John Ratcliffe (R-TX) in introducing H.R. 6735, the Public-Private Cybersecurity Cooperation Act. That bill, which passed the House as a standalone on September 25, was included along with Senator Maggie Hassan’s (D-NH) S. 1281, the Hack DHS Act, in H.R. 7237. Langevin and Ratcliffe amended the Hack DHS Act, which would establish a pilot bug bounty program at DHS, during House Committee consideration; those amendments were included in the final bill.