DOJ's Guidance on Vulnerabilities Disclosures
One of the best ways to combat cyber-attacks is information sharing. If Company A’s systems have been compromised, Company A may voluntarily share the nature and details of that attack with other private firms and various regulators as well (like the U.S. Department of Homeland Security).
But many companies do not have a formal established policy that guides them on how to receive and provide vulnerabilities reports to outsiders, when to provide such reports, and to whom should they share vulnerabilities (like the vendors whose systems were affected).
Last week the U.S. Department of Justice issued guidelines to assist entities on how to establish a formal policy on vulnerabilities disclosure. The guidance was drafted by the Criminal Division’s Cybersecurity Unit.
Of particular note, the DOJ reminds firms that they may need to seek proper authorization to include information about vulnerabilities that implicates third-party interests (like a cloud service provider or developers of publicly shared apps).
#Cybersecurity #vulnerabilitydisclosure #incidentresponse