Hacking the US Government — Legally

Governance & Risk Management
Industry Specific

Jackson Henry and John Jackson Say VDPs Give Assurance to Researchers

Jackson Henry and John Jackson of Sakura Samurai

Security researchers often may not know the trouble they’re walking into when disclosing software vulnerabilities to an organization.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

At best, the flaw gets fixed and the researchers are thanked. At worst, they might be prosecuted. But the U.S. government has opened up its arms to security researchers who responsibly disclose vulnerabilities.

In September 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated under Binding Operational Directive 20-01 that most federal executive branch agencies create vulnerability disclosure programs, or VDPs.

The VDPs outline how security researchers can submit reports about vulnerabilities and bugs in federal IT systems and what’s in scope. And importantly, the VDPs ensure that researchers can make those reports without fear of reprisal (see US Agencies Must Create Vulnerability Disclosure Policies).

Jackson Henry and John Jackson are with the security research group Sakura Samurai. They have disclosed vulnerabilities to agencies such as the National Science Foundation.

Henry says many researchers are still unaware of the U.S. government’s VDP programs. He says Sakura Samurai prefers to focus on VDPs rather than bug bounty programs, which tend to attract more researchers because there’s a potential…