Hacking the US Government - LegallyJackson Henry and John Jackson Say VDPs Give Assurance to Researchers
Security researchers often may not know the trouble they're walking into when disclosing software vulnerabilities to an organization.
At best, the flaw gets fixed and the researchers are thanked. At worst, they might be prosecuted. But the U.S. government has opened up its arms to security researchers who responsibly disclose vulnerabilities.
In September 2020, the U.S. Cybersecurity and Infrastructure Security Agency -CISA - mandated under Binding Operational Directive 20-01 that most federal executive branch agencies create vulnerability disclosure programs, or VDPs.
The VDPs outline how security researchers can submit reports about vulnerabilities and bugs in federal IT systems and what's in scope. And importantly, the VDPs ensure that researchers can make those reports without fear of reprisal (see: US Agencies Must Create Vulnerability Disclosure Policies).
Jackson Henry and John Jackson are with the security research group Sakura Samurai. They have disclosed vulnerabilities to agencies such as the National Science Foundation.
Henry says many researchers are still unaware of the U.S. government's VDP programs. He says Sakura Samurai prefers to focus on VDPs rather than bug bounty programs, which tend to attract more researchers because there's a potential payment.
But "every other web application in existence is left not secure because researchers aren't researching on it," Henry says. "We like to go where others aren’t to maximize our effectiveness and usefulness."
In this video interview with Information Security Media Group, Henry and Jackson discuss:
- How VDPs give researchers assurance when hunting vulnerabilities in U.S. government systems;
- How the disclosure process went when Sakura Samurai found vulnerabilities in the National Science Foundation's systems;
- How the environment around security research is evolving.
John Jackson is the founder of Sakura Samurai, which is an independent research group. He's a senior penetration tester, a former senior application security engineer with Shutterstock and a former cybersecurity engineer with Staples. He also served in the U.S. Marine Corps.
Jackson Henry is a researcher with Sakura Samurai, an analyst with the consultancy Data-Sec and an intern at Trustwave's SpiderLabs in Sydney.