Debugging the System: Reforming Vulnerability Disclosure Programs in the Private Sector.

• Author: Arooni, Jasmine

TABLE OF CONTENTS I. INTRODUCTION 445 II. VULNERABILITY DISCLOSURE PROGRAMS IN PRACTICE: HOW DO THEY WORK? 448 III. THE CURRENT LEGAL LANDSCAPE: LEGAL RISKS FACED BY VDP SECURITY RESEARCHERS 450 A. The Computer Fraud and Abuse Act and Its Impact on Security Research 451 B. The DMCA and Its Impact on Security Research 453 C. Safe Harbor Language: A Superficial Fix, Not a Complete Solution 454 IV. THE DOJ'S DISCRETIONARY GUIDANCE FOR PRIVATE VDPS 455 V. THE U.S. GOVERNMENT'S INFLUENTIAL ROLE IN VDP GOVERNANCE 456 A. The U.S. Government as a "Crowdsourcer": Validating the Importance of Public Engagement to Cybersecurity 457 B. The U.S. Government as a "Rule Maker": The DHS' Compulsory Authority over Government VDPs 458 C. The Government as an "Example": The Impact of Government VDPs on the Private Sector, as Evidenced Through Commercial VDP Management 459 VI. THE PATH FORWARD: RECOMMENDATIONS FOR STANDARDIZING PRIVATE SECTOR VDPS USING THE U.S. GOVERNMENT AS AN EXAMPLE 461 A. Compulsory DOJ Framework: Promoting Reform of Private Sector VDPs Through the Use of Standards 462 B. Mirroring the DHS Approach: The U.S. Government as an Example in Responding to Concerns that the Private Sector Fails to Address 464 VII. CONCLUSION 466 I. INTRODUCTION

Virtually everything is hackable in today's interconnected world. (1) While a surge of technological advancement confers numerous benefits, it also brings an increased risk of software vulnerabilities. (2) Vulnerabilities are weaknesses in software, including online systems, that can be exploited to damage the confidentiality, integrity, or availability of those systems. (3) Vulnerabilities pose risks of aftermarket exploitation, often in the form of data breaches perpetrated by malicious actors. (4) Remediation of a data breach, on average, costs $3.92 million. (5)

A Vulnerability Disclosure Program ("VDP") (6) is an increasingly popular method to mitigate vulnerability-related risks. (7) VDPs involve enlisting "hackers" (referred to in this Note as "security researchers" for neutrality), to find vulnerabilities before weaknesses can be exploited. Security researchers, in turn, are compensated for their efforts. The cost of paying researchers through a VDP is a small fraction of what it costs to remediate a data breach, as the average VDP payout is $2,041. (8)

In an age where organizations of all shapes and sizes depend on software-based technologies, addressing vulnerabilities quickly is at the crux of maintaining an effective security posture. (9) The growing popularity of VDPs indicates that crowdsourced bug discovery brings cost-effective solutions that may surpass in-house security strategies to address vulnerabilities. Organizations that run VDPs ("host organizations") delegate the probing of their internal systems to security researchers who perform testing remotely. (10) By harvesting the potential of security research through VDPs, host organizations may establish scalable solutions to cybersecurity challenges. (11) VDPs provide for around-the-clock security services due to their remote and global nature and may replace or supplement the otherwise-burdensome process of in-house vulnerability management. (12) Today, security research is a vital element of the cybersecurity industry, helping strengthen host organization systems used by billions worldwide. (13)

However, security researchers worry about the legal implications of their VDP participation given the realistic possibility that legal action may follow from conducting research outside of the technical or contractual scope allotted by a host organization. (14) Anti-hacking laws in the U.S., combined with an industry standard of poorly drafted legal terms in private sector VDPs, create a prohibitive and liability-laden environment for security researchers. (15)

Some VDPs offer rewards for vulnerabilities that require researchers to conduct research in direct violation of their legal terms, a practice that violates anti-hacking laws. (16) The search for a specific vulnerability solicited by the host organization might involve research that, under the organization's legal terms, is a violation or not clearly defined as proper or improper activity. (17) In turn, inconsistent or incomplete legal terms can subject a security researcher to the risk of prosecution under current anti-hacking laws in violation of those terms. (18) These poorly drafted terms force researchers to bear the risk. They must decide their willingness to participate in a program that may not protect them from liability should their research be construed as improper. (19)

To this end, the U.S. federal government has made numerous guiding efforts, one of them being the Department of Justice's "Framework for a Vulnerability Disclosure Program for Online Systems," while simultaneously setting an example in its capacity as a host organization towards reform of the volatile VDP landscape in favor of security researchers. (20) The DOJ Framework outlines a high-level process for how an organization may structure a vulnerability disclosure program and advises host organizations on how to eliminate civil or criminal prosecution risk for security researchers that may arise from a poorly drafted policy. (21) Although the government is thought to lag behind innovative private sector companies in stature, federal agencies, unexpected first-adopters of fair VDP practices, have set the example for how organizations should operate VDPs. (22)

Several organizations in the private sector have taken public steps to reform their VDPs based on the DOJ's helpful guidance. However, after three years since the DOJ Framework's release, it has not had enough of an impact on private sector VDP reform. Given the changing landscape of U.S. government-run VDPs, which captures adequate process and protections for agency VDPs, this Note argues that there should be top-down pressure on the private sector to reform VDP policies and processes, using the DOJ's framework as a tool to do so.

Section I of this Note sets forth the VDP process, including actions taken by the host organization and researchers during VDP creation and the vulnerability lifecycle. Section II explores the current anti-hacking legal landscape and its impact on security research, including the role of safe harbor language. Section III explores the DOJ Framework in detail, highlighting why it is a useful tool towards reducing legal risks to security researchers through private sector VDP reform. Section IV outlines the U.S. government's unconventional adoption of VDPs, the recent call for mandatory and uniform VDPs at every government agency, and the influence the government has on private sector VDPs seen through commercial VDP platforms. Section V proposes that the DOJ Framework, if properly updated and maintained through a multi-stakeholder approach, has the potential to facilitate comprehensive standards in private sector VDPs, using the government's role in the VDP industry as used an exemplary metric that comports with the needs of both host organizations and security researchers alike.

2. VULNERABILITY DISCLOSURE PROGRAMS IN PRACTICE: HOW DO THEY WORK?

   Organizations most commonly utilize their permanent security operations teams to handle a range of cybersecurity issues in-house. (23) However, addressing vulnerabilities is a time and resource-intensive practice, and an organization aiming to employ long-term, preemptive measures to discover vulnerabilities may face challenges when trying to do so solely through in-house security. (24) For example, few organizations have adequate bandwidth to look for new bugs while mitigating existing ones. (25) Depending on the size of an organization or the number of systems under its ownership, vulnerability-related security issues may generate enough work for an entire business unit within the organization. (26) As a result, there is great incentive for organizations to encourage, reward, and develop relationships with external researchers who find security bugs in organizations' systems in real-time through VDP deployment. (27) When vulnerability hunting is left to a large and global community of external researchers, internal teams can better focus on fixing existing bugs, creating systems to better avoid bugs in the future, and handling other issues within the organization's security infrastructure. (28)

   The VDP process ordinarily begins when an organization solicits security research services from the public by setting up an internal VDP. (29) The VDP creation process may vary in formality based on an organization's size, resources, and sophistication. (30) In creating a VDP, host organizations draft and enforce program terms and legal terms ("legal terms"), (31) which effectively serve as contracts between the security researcher and host organization. (32) In general, security researchers take affirmative actions to manifest assent to contract terms upon submission of a vulnerability to a host's VDP, as well as click-through consent if they agree to a program's general program terms. (33)

   The next step occurs when a security researcher discovers a vulnerability in the host organization's system. (34) After discovering a vulnerability, the security researcher reports the vulnerability to the host organization through the VDP. (35) If a security researcher discovers a valid bug, the company's legal terms dictate the next steps in the process regarding what the security researcher can do with their findings. (36) Some host organizations may allow for public disclosure of security research findings, with a prevailing norm that security researchers work closely with host organizations ahead of time to ensure remediation of the vulnerability before public disclosure to avoid unwanted exploit of the vulnerability found in good faith. (37) Other host organizations require confidentiality from security researchers to avoid reputational harm, a practice...