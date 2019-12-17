Our government’s military-grade security used to serve as the ultimate example of security best practices. The tables have turned, and now our government must learn from the private sector. That’s why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently announced a draft directive that requires federal agencies, including all civilian agencies, to establish a vulnerability disclosure policy or VDP.

An “if you see something, say something” for security bugs in the digital world, vulnerability disclosure policies enable good-faith hackers and citizens alike to look for and report security vulnerabilities without fear of legal action, with the end goal of safely identifying security issues before cybercriminals can exploit them.

Vulnerability disclosure policies are a recommended cybersecurity best practice by organizations like the National Institute of Standards and Technology (NIST) and are already in place at companies like Google, Chase, Goldman Sachs, General Motors, and Ford. The hacker community welcomes this directive and hopes that anyone concerned about our government’s digital infrastructure sees this as the moment that our nation’s cybersecurity changed for the better.

A history of hacks

In 2015, a breach of the U.S. Office of Personnel Management exposed millions of government employees’ security clearance records to Chinese hackers. Had there been a vulnerability disclosure policy in place then, an ethical hacker may have discovered these flaws before they could be exploited by criminals.

Last year, I disclosed a security vulnerability to the Department of Defense in a file-sharing system broadly used across the federal government. This system was used to share sensitive files such as military medical records and, notably, detailed voter data for Trump’s Election Integrity Commission. The vulnerability allowed anyone to bypass passwords and directly download any of the 15 million files uploaded on the site. Armed with the information in my report through their active vulnerability disclosure policy, the military was able to mitigate the security flaw before it could be exploited.

The U.S. government’s relationship with hackers hasn’t always been this smooth. Just a decade ago, the government viewed most hackers as enemies of the state. In 2002, teenage hacker Tommy DeVoss was arrested for hacking into military computer networks and banned from using computers for five years. That perception has since changed. Now, when DeVoss hacks the military as part of legitimate bug bounty programs like Hack the Pentagon, they write him a thank you letter and a check to boot.