December 12, 2019

December 12, 2019

Subscribe to Latest Legal News and Analysis

December 11, 2019

Subscribe to Latest Legal News and Analysis

December 10, 2019

Subscribe to Latest Legal News and Analysis

Department of Justice Releases Guidance for Vulnerability Disclosure Programs

Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments.  This framework provides private entities a series of steps to establish a formal program that balances the need to enhance organizations’ cybersecurity with potential legal risks associated with identifying, testing, and disclosing vulnerabilities.  While the framework does not prescribe specific requirements, it does provide guidance that an organization should consider whether it is developing a new disclosure program or already has an established program.  The framework also appears consistent with previous U.S. Government guidance on vulnerability disclosure — such as the policy or guidance published by the U.S. Department of DefenseGeneral Services Administration 18F Office, and National Telecommunications & Information Administration.

In sum, the four-step framework recommends an organization consider the following:

Step 1: Design the vulnerability disclosure program.

  • Whether to apply the disclosure program across its entire enterprise or specifically focus on certain portions of its network, applications, or data types.
  • When choosing to include sensitive data (or systems that process or store sensitive data), an organization should “seriously weigh the risks and consequences of exposing [sensitive] information that it has a legal duty to protect and . . . consider consulting with legal counsel when making its scoping decisions.”
  • Establish a program that focuses on certain types of vulnerabilities rather than all vulnerabilities — for example, a program may focus on software flaws, weak password management practices, outdated and poorly configured systems that are susceptible to exploitation, and/or inadequate security training.
  • Assess whether any third-party interests may be involved (such as a cloud service provider storing the organization’s data or hosting its infrastructure) and account for those interests; otherwise, the program may lack the appropriate authorization to access the third-party’s systems and subject the organization to heightened legal risk.

Step 2: Plan for administering the vulnerability disclosure program.

  • Establish a process for vulnerability reporting that includes authenticating the accuracy of the vulnerability.
  • If the program includes sensitive data, limit access, processing, and retention of sensitive data by testing and reporting entities.
  • Identify key points-of-contact to receive and process vulnerability reports, and “[i]dentify personnel who can authoritatively answer questions about conduct that the [program] does and does not authorize.”
  • Decide how to handle “accidental, good faith violations” and “intentional, malicious violations” of the program.

Step 3: Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent.

  • Describe what type of conduct is authorized and unauthorized, including, but not limited to, specific techniques, use of the organization’s data, deletion or alteration of data, and denying access to systems.
  • Identify what portions of an organization’s network, applications, or data types are in scope.
  • Establish program controls to protect sensitive data and systems that process or store sensitive data.
  • Outline the potential consequences for complying (and not complying) with the disclosure program.

Step 4: Implementing the vulnerability disclosure program.

  • Ensure an organization’s vulnerability disclosure policy is “easily accessible and widely available.”  Some examples include advertising the program and prominently displaying the policy on an organization’s website.
  • Consider requiring anyone who performs related activities to do so under the established program.
© 2019 Covington & Burling LLP


About this Author

Weiss Nusraty, Covington, litigation lawyer

Weiss Nusraty advises clients on cybersecurity and national security matters, including cyber and data security incident response, and government and internal investigations.

Mr. Nusraty joined Covington from the U.S. Department of the Treasury where he served as a Policy Advisor within the Office of Terrorism and Financial Intelligence. In that role, Mr. Nusraty developed and implemented strategies on a range of matters, including financial sanctions, anti-money laundering and counter-terrorist financing. He worked closely with the intelligence community and...

Ashden Fein, Litigation attorney, Covington Burling

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.