Governance & Risk Management , Government , Industry Specific

Hacking the US Government - Legally

Jackson Henry and John Jackson Say VDPs Give Assurance to Researchers
Jackson Henry and John Jackson of Sakura Samurai

Security researchers often may not know the trouble they're walking into when disclosing software vulnerabilities to an organization.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

At best, the flaw gets fixed and the researchers are thanked. At worst, they might be prosecuted. But the U.S. government has opened up its arms to security researchers who responsibly disclose vulnerabilities.

In September 2020, the U.S. Cybersecurity and Infrastructure Security Agency -CISA - mandated under Binding Operational Directive 20-01 that most federal executive branch agencies create vulnerability disclosure programs, or VDPs.

The VDPs outline how security researchers can submit reports about vulnerabilities and bugs in federal IT systems and what's in scope. And importantly, the VDPs ensure that researchers can make those reports without fear of reprisal (see: US Agencies Must Create Vulnerability Disclosure Policies).

Jackson Henry and John Jackson are with the security research group Sakura Samurai. They have disclosed vulnerabilities to agencies such as the National Science Foundation.

Henry says many researchers are still unaware of the U.S. government's VDP programs. He says Sakura Samurai prefers to focus on VDPs rather than bug bounty programs, which tend to attract more researchers because there's a potential payment.

But "every other web application in existence is left not secure because researchers aren't researching on it," Henry says. "We like to go where others aren’t to maximize our effectiveness and usefulness."

In this video interview with Information Security Media Group, Henry and Jackson discuss:

  • How VDPs give researchers assurance when hunting vulnerabilities in U.S. government systems;
  • How the disclosure process went when Sakura Samurai found vulnerabilities in the National Science Foundation's systems;
  • How the environment around security research is evolving.

John Jackson is the founder of Sakura Samurai, which is an independent research group. He's a senior penetration tester, a former senior application security engineer with Shutterstock and a former cybersecurity engineer with Staples. He also served in the U.S. Marine Corps.

Jackson Henry is a researcher with Sakura Samurai, an analyst with the consultancy Data-Sec and an intern at Trustwave's SpiderLabs in Sydney.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.