Written by Sean Lyngaas
The U.S. government is experimenting with a secure and anonymous portal for reporting software vulnerabilities to encourage closer collaboration with ethical hackers.
The initiative is a recognition of the lingering reluctance that some security researchers have felt in flagging bugs for federal officials, despite a longstanding program run by the Department of Homeland Security.
The project would use SecureDrop, the open-source software that some news organizations rely on for anonymous tips, to submit vulnerability information. It is aimed at the tinkerers and hackers who, out of fear – whether founded or not – of legal repercussions, do not report the bugs they find.
“We don’t know how many people are withholding [vulnerabilities]….or monetizing because they have no other avenue” to report them, said Jeff Moss, a backer of the project and the founder of the DEF CON hacking conference, where the initiative was announced Friday.
The plan is for DEF CON to host the servers for the vulnerability reporting, acting as a bridge between hackers and the government. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) would collect vulnerability reports and disseminate them, as it does now.
DHS already accepts thousands of vulnerability reports every year. But now it is trying to tap further into the cybersecurity community for that information.
“What we’re hearing is that, even though we will take [vulnerability reports from anyone], there’s still a reluctance to share directly with the government,” CISA Director Chris Krebs told reporters. He said he wanted to learn more about what was and wasn’t working in the vulnerability reporting process.
Another concern that some computer specialists might have is that a vulnerability they find could be turned into a computer exploit by the government. Krebs sought to allay those fears while on stage at DEF CON – emphasizing that DHS publicly circulates vulnerability reports rather than handing them off to intelligence agencies.
It is unclear when the project will be up and running; Krebs said there were still technical and legal issues to iron out. Either way, hackers who dabble in the darker parts of the trade will need serious convincing to partake.
The use of the Freedom of the Press Foundation’s SecureDrop could encourage more participation. The platform runs through Tor, the anonymizing tool. Using federal money for the new initiative, security specialists did a code review of SecureDrop to further strengthen the program’s security.
The ultimate aim is to get buy-in from hackers around the world.
“In an ideal world, a hacker community is a global community,” said Marc Rogers, DEF CON’s head of security operations and another supporter of the project. “It’s not just a U.S. community. So whatever ends up being built has to support that global community.”