March 17, 2018

March 16, 2018

Subscribe to Latest Legal News and Analysis

March 15, 2018

Subscribe to Latest Legal News and Analysis

Department of Justice Releases Guidance for Vulnerability Disclosure Programs

Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments.  This framework provides private entities a series of steps to establish a formal program that balances the need to enhance organizations’ cybersecurity with potential legal risks associated with identifying, testing, and disclosing vulnerabilities.  While the framework does not prescribe specific requirements, it does provide guidance that an organization should consider whether it is developing a new disclosure program or already has an established program.  The framework also appears consistent with previous U.S. Government guidance on vulnerability disclosure — such as the policy or guidance published by the U.S. Department of DefenseGeneral Services Administration 18F Office, and National Telecommunications & Information Administration.

In sum, the four-step framework recommends an organization consider the following:

Step 1: Design the vulnerability disclosure program.

  • Whether to apply the disclosure program across its entire enterprise or specifically focus on certain portions of its network, applications, or data types.
  • When choosing to include sensitive data (or systems that process or store sensitive data), an organization should “seriously weigh the risks and consequences of exposing [sensitive] information that it has a legal duty to protect and . . . consider consulting with legal counsel when making its scoping decisions.”
  • Establish a program that focuses on certain types of vulnerabilities rather than all vulnerabilities — for example, a program may focus on software flaws, weak password management practices, outdated and poorly configured systems that are susceptible to exploitation, and/or inadequate security training.
  • Assess whether any third-party interests may be involved (such as a cloud service provider storing the organization’s data or hosting its infrastructure) and account for those interests; otherwise, the program may lack the appropriate authorization to access the third-party’s systems and subject the organization to heightened legal risk.

Step 2: Plan for administering the vulnerability disclosure program.

  • Establish a process for vulnerability reporting that includes authenticating the accuracy of the vulnerability.
  • If the program includes sensitive data, limit access, processing, and retention of sensitive data by testing and reporting entities.
  • Identify key points-of-contact to receive and process vulnerability reports, and “[i]dentify personnel who can authoritatively answer questions about conduct that the [program] does and does not authorize.”
  • Decide how to handle “accidental, good faith violations” and “intentional, malicious violations” of the program.

Step 3: Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent.

  • Describe what type of conduct is authorized and unauthorized, including, but not limited to, specific techniques, use of the organization’s data, deletion or alteration of data, and denying access to systems.
  • Identify what portions of an organization’s network, applications, or data types are in scope.
  • Establish program controls to protect sensitive data and systems that process or store sensitive data.
  • Outline the potential consequences for complying (and not complying) with the disclosure program.

Step 4: Implementing the vulnerability disclosure program.

  • Ensure an organization’s vulnerability disclosure policy is “easily accessible and widely available.”  Some examples include advertising the program and prominently displaying the policy on an organization’s website.
  • Consider requiring anyone who performs related activities to do so under the established program.
© 2018 Covington & Burling LLP


About this Author

Jennifer R. Martin, Covington, cyber incident response lawyer, forensics consulting attorney
Of Counsel

Jennifer Martin has worked at the intersection of law and cybersecurity for the past 15 years. Her expertise in this area has been uniquely honed through her experience managing cyber risks and responding to threats from a variety of perspectives: as the director of cyber incident response and operations, and as lead in-house internal investigations counsel at Symantec; as a managing director of a top cybersecurity and forensics consulting firm; and as a federal and local cybercrime prosecutor and policymaker.

As both in-house counsel and as a...

212 841 1018
Ashden Fein, Privacy Attorney, Covington Law Firm

Ashden Fein is an associate in Covington’s Litigation, White Collar Defense & Investigations, Privacy and Data Security, and International Trade practice groups.  He focuses on representing companies and individuals in government and internal investigations, including clients in the defense, cybersecurity, and national security industries; regulatory matters concerning national security law; and global privacy and data security. 

Weiss Nusraty, Covington, cybersecurity lawyer, national security matters attorney

Weiss Nusraty advises clients on cybersecurity and national security matters, including cyber and data security incident response, and government and internal investigations.

Mr. Nusraty joined Covington from the U.S. Department of the Treasury where he served as a Policy Advisor within the Office of Terrorism and Financial Intelligence. In that role, Mr. Nusraty developed and implemented strategies on a range of matters, including financial sanctions, anti-money laundering and counter-terrorist financing. He worked closely with the intelligence...