Earlier this week, the National Institute of Science and Technology (NIST) released Revision 5 of NIST Special Publication (800–53) Guidelines Security and Privacy Controls for Information Systems and Organizations. This revision makes a tremendous step toward bringing the role of good-faith security researchers (or, as they prefer to be called, hackers) closer to the middle of standard IT security controls, and is an exciting step toward legitimizing their long-standing role in securing the internet.

What is NIST SP 800-53 R5?

The SP 800–53 “provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”

What are the changes?

Released on September 23, 2020, Revision 5 contains a number of improvements, broadens its applicability to better include both security and privacy concepts, and for the first time, introduces vulnerability disclosure programs (VDPs) as a recommended control under the vulnerability management and scanning section:

“RA-5 (11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

Discussion: The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.”

How do these changes affect vulnerability disclosure programs and the good-faith hacker community?

NIST’s definition of vulnerability disclosure programs (VDPs) calls out critical distinguishing features of a well-run VDP:

  • Publicly discoverable channels and policies
  • Explicit authorization of good-faith security research
  • Absence of non-disclosure as a condition of authorization of testing in public programs, and
  • Timeline-driven Coordinated Vulnerability Disclosure (CVD) practices

SP 800–53 R5 goes on to explain the reasoning for the inclusion of VDPs in the guidelines:

“Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public-at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities.”

The NIST authors are acknowledging that security research without explicit authorization is, in many cases, potentially a felony crime in the USA. Extending authorization to good-faith security researchers, while retaining the ability to prosecute bad ones, is something the security community and companies like Bugcrowd have been encouraging for a long time and is at the core of The Disclose.io Project.

Helping organizations create public policy to execute on this is why the open-source vulnerability disclosure policy terms exist.

“Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.”

This is a key call-out, and something many organizations have yet to realize: security research, both good-faith and potentially malicious, will occur regardless of the presence of an invitation from the owners of the subject to the research. Not inviting the output of this research as a way to identify and manage risk carries a huge opportunity cost, and attempting to ban it altogether merely drives it underground in ways that are more likely to see it surface with malice.

Therefore, it is more rational to be proactive and take the steps needed to funnel actionable information from good-faith hackers to where the risks can be actioned on and remediated.

“Organizations may also employ the use of financial incentives (also known as “bug bounties”) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.”

While they are similar in their external mechanics, VDPs, bug bounty programs, and private bug bounty programs are not the same. 

In the NIST definition, public and private bug bounty programs are optional additions to the core control recommendation: implementing a vulnerability disclosure program. By clarifying this distinction, NIST is helping its audience understand that a public bug bounty program is a subset of a vulnerability disclosure program, despite being more topical and oft-discussed.

Combined with the call-out against placing non-disclosure as a condition of authorization to conduct security research, this last section further addresses some of the existing term confusion between vulnerability disclosure programs, public bug bounty, and private crowdsourcing. It establishes vulnerability disclosure programs as a superset concept when organizations first consider how they’ll receive and act on security feedback from the outside world.

Public bug bounty programs and private, crowdsourced security programs are incredibly powerful and useful tools, and are effective to direct scarce cybersecurity talent to where it’s needed – but not if they are used at the expense of the baseline organization’s ability to first establish a functional “Neighborhood Watch for the Internet“. 

SP 800–53 is a well-respected standard. It has broad adoption in government and de-facto adoption of the guidelines in the corporate world guidelines, both in the USA and abroad.

It is exciting to see the thoughtfulness NIST has put into articulating the simple truth that vulnerabilities always exist, hackers “good” and “bad” will find them, and that the smart move is to leverage this phenomenon and integrate it into a vulnerability management strategy.

Revision 5 is yet another step towards the legitimization of the Internet’s Immune System. Everyone who has worked on legitimizing the work of good-faith hackers for the past 30 years or more can feel encouraged by this release.