Modernization

DHS questions vulnerability disclosure program

Undiscovered vulnerabilities in agency information systems could be exploited by nation-states or hackers.

August 28, 2019

Hacker using laptop. Lots of digits on the computer screen.

The Department of Homeland Security plans to collect information on security vulnerabilities in its information systems and wants to know if its methods are sound.

Section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act requires DHS to establish a Vulnerability Disclosure Program. Undiscovered vulnerabilities could be exploited by nation-states or hackers to steal personally identifiable information or manipulate data.

People, organizations and companies will be able to submit vulnerabilities they find in the department’s systems to DHS in a “safe and lawful way” while honing their skills, according to a notice in the Federal Register.

“In addition, without the ability to collect information on newly discovered security vulnerabilities in DHS information systems, the DHS will rely solely on the internal security personnel and or discovery through post occurrence of such a breach on security controls,” reads the notice.

The program will use a form allowing submitters to share vulnerable hosts, information needed to reproduce the bug, suggestions on how to mitigate the problem, and the predicted impact if nothing is done.

Zero-day vulnerabilities, those unknown to DHS, are of particular concern.

DHS anticipated about 3,000 responses each taking three hours to ingest for a 9,000-hour burden. The agency wants to know if potential program participants think collection is even necessary, the estimated burden is accurate, the information sought can be expanded, and automated or electronic submission is needed.

Comments are being accepted until Oct. 28, and the form will ultimately be posted on DHS’s website in addition to those of its subsidiary agencies like the Transportation Security Administration and Immigration and Customs Enforcement.

Congress continues to consider the creation of a DHS bug bounty program, expected to cost $44 million, rewarding independent researchers who find software and hardware vulnerabilities with payouts.

DHS questions vulnerability disclosure program

More Like This

New TMF investments support AI Safety Institute, upgrades to nuclear emergency response

SBA moving ahead with upgrades to certification system despite GOP protest

Amid scrutiny into the US Secret Service, a look at how the agency uses technology

Top Stories

More than 1,300 devices have been reported missing to USAID, document shows

The software you can’t use at NASA

Harris likely to combine Biden AI policies with Silicon Valley-informed approach

GOP lawmakers, financial leaders ‘leery’ of rushing AI rules on the sector

CrowdStrike outage briefly impacted national organ transplant matching system

NIST seeks organization to stand up institute focused on AI to boost manufacturing

More Scoops

The FAA is developing an air traffic tool built for the space age. It may need help

DHS releases commercial generative AI guidance and is experimenting with building its own models

Homeland Security adds facial comparison, machine learning uses to AI inventory

Industry help needed to fix ‘sorry state’ of cloud tool interoperability, DHS official says

Customs and Border Protection to update app to screen Ukrainians seeking travel authorization to the US

CISA still working with some agencies to fully follow federal vulnerability disclosure policy rules

Rep. Mace proposes new vulnerability disclosure rules for contractors

Latest Podcasts

The VA extends its EHR contract with Oracle Center for another 11 months.

Leveraging AI to modernize government IT systems

The Coast Guard’s AI chief takes a new role focused on the 2024 presidential transition

TMF funds enhancements in nuclear and AI safety; Federal initiatives strengthen child online protection

Tech

Defense

Cyber

FedScoop TV