WASHINGTON D.C. — Today, TechFreedom joined a coalition of two dozen companies and civil society groups led by Rapid7 in urging the National Institute of Standards and Technology to add vulnerability disclosure and handling processes into its “Framework for Improving Critical Infrastructure Cybersecurity.”
The Framework, a set of voluntary standards for managing cybersecurity risks, originally focused primarily on critical infrastructure. But, increasingly, it has served as a guide for both government agencies and the private sector. While the framework includes receiving information from information sharing forums, it does not provide guidance for handling disclosures from external sources such as independent researchers.
“We’re entrusting more and more of our lives to devices and digital services, and we need the security ecosystem working together smoothly to make sure that stays viable,” said TechFreedom Executive Director Austin Carson. “No single entity can be expected to detect and patch every bug on its own, and reducing the friction between developers of technology and independent researchers is critical. A flexible process for reviewing and mitigating vulnerabilities submitted by independent researchers will encourage more participation and digital security. We hope NIST revises its Framework to encourage a mature disclosure process.”
As the joint comments state:
Processes for receiving, reviewing, and responding to vulnerability disclosures should be considered a basic, and relatively easily achievable, component of modern cybersecurity plans. The Framework already provides for information sharing and external participation, but we believe the Framework should be more explicit that these functions encompass coordinated vulnerability disclosure and handling processes.
Recognizing that there is no perfect security and that all vulnerabilities cannot be completely eliminated from digital goods and services pre-market, organizations must be prepared to continually identify and respond to cybersecurity flaws in their infrastructure and networks throughout the IT lifecycle. Yet the quantity, diversity, and complexity of vulnerabilities will prevent many organizations from detecting all vulnerabilities without independent expertise or manpower.
We can be reached for comment at firstname.lastname@example.org. See our other work on cybersecurity, including: