Public Comment from Casey Ellis, Bugcrowd re DRAFT BOD 20-01

Originally posted:

January 23, 2020

Mr. Christopher C. Krebs
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security Stop 0380
245 Murray Lane
Washington, D.C. 20528

Dear Director Krebs and CISA/DHS team,

Thank you for the opportunity to comment on this Binding Operational Directive.

To start out: The Bugcrowd team, the security researcher community, and I personally applaud this effort.

The information systems that run the US Government are the output of human creativity and human effort. Humans, while unmatched in our creativity and ability to pursue potential, are also fallible, which gives rise to vulnerabilities and risks. This is merely a byproduct of being human. This truism begs the question of how to identify these risks, fix them, and reduce their likelihood in the future, before the adversary finds and exploits them.

Those who have both the skills and altruistic interest to identify cyber risk and improve the safety and security of the Internet have been waiting patiently for the better part of 30 years, and our efforts to help have been met with varying responses. Up until 5 or 6 years years ago many of them were fearful, hostile, and negative. The evolution of the information attack surface and the capabilities of our adversaries have caused a huge shift: The Internet realised that all “hackers” aren’t burglars, many of them are actually locksmiths.

Put simply, there is a crowd of people building software and systems, and a crowd of people working to find new ways to attack our software and systems, and this BOD proposes what we believe to be a logical response: Engaging the crowd of good-faith hackers and concerned Netizens to help the government defend it’s information systems.

For context: I founded the company Bugcrowd, the first organization to operationalize and intermediate the relationship between the hacker community and organizations wanting their input, in 2012.

Collectively, we have been a participant in the “helpful hacker” community, an advocate for healthy security feedback loops between system owners and their users, and a leader and moderator in vulnerability disclosure policy conversations for thousands of organisations, ranging from

small startups to massive technology platforms, government agencies both in the USA and abroad (including the US Department of Defense), though to traditional and safety critical organizations like automotive manufacturers, medical manufacturers, and financial exchanges. The recommendations below come from our experience across this diverse variety of organizations, which we believe reflects the diversity of different agencies who would be participants to BOD 20-01.

In general we find the recommendations to be thoughtful and well laid out, and are greatly encouraged by the apparent groundswell of support from the researcher and information security community.

Consumer understanding of cybersecurity threats is a relatively new phenomenon, and has resulted in increased desire for transparency of the measures being taken to protect consumer data and the digital workflows that impact - at this point - almost every conceivable aspect of life.

This BOD addresses Government systems, not all of which interact with “consumer” information directly. The now ubiquitous awareness of the risk of cyberattack by the average citizen makes it a socio-political issue, as it directly impacts the confidence of the constituent in their government.

The transparency and conceptual simplicity of “Neighbourhood watch for the Internet” is a natural fit to the overlaid issue of constituent confidence, but our experience sharply reinforces that the journey to maturity in a vulnerability disclosure program is not one-size-fits-all. A measured approach is important to ensure smooth implementation and successful outcomes.

As such, our recommendations carry a focus on maximizing whole-of-program success with consideration to individual agency needs in the implementation of BOD 20-01.


Prioritize the enablement of per-agency roadmap development.

Set a clear expectation that restrictive scope is unlikely to be followed by Finders, and that scope control isn’t the purpose of an organizational Vulnerability Disclosure Program.

The typical approach taken to ensure readiness is either:

Extend the timeline to a fully public vulnerability disclosure program.

The timelines and pathway to a fully functioning, easy to find and engage program will vary between Departments, but the pathway could look like the following:

Treat CERT/CC or other centralized points of intake as the exception process, not the primary process.

Double down on the encouragement of “good-faith authorization” (aka Safe Harbor).

Continue to clearly disambiguate “vulnerability disclosure” from “bug bounty” and “private crowdsourced security”.

Disambiguate researcher, contractor, etc to “Finder” where possible.

We’d like to reiterate on behalf of the security community our appreciation and commendation of this effort from CISA. This effort legitimizes the security researcher community, encourages transparency and pragmatism around vulnerability management within government agencies, and will ultimately result in more secure US Government information systems.

We stand ready to provide additional input and help as required to support this initiative.

Kind regards,

Casey Ellis - Founder, Chairman, and CTO, Bugcrowd

With input from…
Judy Dorner - Special Projects Office, Bugcrowd
Michael Skelton - Global Head of Security Operations, Bugcrowd
Randy Young - Principal Product Manager, Bugcrowd

Casey John Ellis

Casey John Ellis

founder @tallpoppygroup @bugcrowd @disclose_io. troubleshooter and troublemaker.

rss facebook twitter wikipedia github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora