Final | June 2020 | v1.0.0 | OFFICIAL - Public | Cyber Security Unit

Introduction

Purpose

Vulnerability disclosure is a process through which individuals, such as users, vendors or security researches work together to find solutions that reduce risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution.

The Vulnerability disclosure guideline provides information for departments on:

• how to encourage individuals who have discovered or become aware of vulnerabilities in our digital products and services to disclose them
• how vulnerabilities can be reported privately to the affected department or to the Queensland Government Chief Information Security Officer
• how to best engage with vendors who own affected products and services.

This guideline is based on ISO/IEC 29147 Information Technology Security Techniques Vulnerability Disclosure.

Benefits

This guideline will assist departments in managing vulnerability risks discovered by individuals. Specifically, it will:

• ensure identified vulnerabilities are addressed
• set expectations to promote positive communication and coordination among involved parties
• provide recommendations to departments for the establishment of appropriate procedures on accepting the disclosure of vulnerabilities in their products and services
• provide recommendations to departments for the establishment of appropriate policies on disclosing vulnerabilities in vendor services and products,
• help protect Queensland Government departments from an attack or premature announcement of a vulnerability to the public
• reduce the risk of successful malicious activities resulting in negative impact to the functioning of the Queensland Government.

Audience

This document is primarily intended for Queensland Government departments. It will be of specific interest to:

• information security staff and operational areas
• owners and custodians of information systems.

Scope

This guideline supports the Information and cyber security policy (IS18).

Information relating to incident management is outside the scope of the guideline and departments should refer to the Incident management guideline.

Information relating to vulnerability management is also outside the scope of this guideline and departments should refer to the Vulnerability management guideline.

Vulnerability disclosure

Encouraging responsible research

Queensland Government seeks to build a trusted environment for individuals to disclose vulnerabilities in our products and systems. Departments should encourage responsible security research through online communication channels, websites and/or direct communication.

The meaning of responsible security research should be clearly defined and published to ensure a clear understanding between departments and researchers. Clear messages published on department websites can be very useful for this purpose.

Departments are encouraged not to pursue legal action against anyone who acts in good faith in relation to the discovery and reporting of a potential security vulnerability, provided the vulnerability is disclosed in accordance with the departments responsible disclosure statement (subject to legal and regulatory requirements).

What information should be collected?

Departments should set expectations for the type and format of information required when individuals are disclosing a vulnerability.

When disclosing a vulnerability, individuals should be encouraged to:

• disclose potential security vulnerabilities via a published departmental security reporting email address
• if possible, encrypt findings to prevent vulnerability information being further disclosed
• provide an explanation of the potential security vulnerability, including details of any exploit with enough information to enable the security team to reproduce it
• provide contact details for further communication.

Where applicable, individuals should also be encouraged to include:

• a list of products and services that may be affected
• proof-of-concept code
• details of any changes or modifications made to the affected services (e.g. details of accounts created for research purposes).

While departments are still building their vulnerability disclosure capability, a statement is available on the Queensland Government Enterprise Architecture website. The Cyber Security Unit (CSU) will collect, analyse, and forward vulnerability reports to the relevant department(s).

Communication following a vulnerability disclosure

Departments should set expectations for communication mechanisms and timeframes when individuals disclose a vulnerability.

After receiving a vulnerability disclosure from an individual, departments should:

• make contact within 72 hours of the disclosure to acknowledge its receipt and provide an initial response
• keep individuals informed on progress towards addressing the potential security vulnerability and notify them when the vulnerability has been addressed, and
• request that vulnerabilities are not disclosed publicly until the department has had the opportunity to complete an investigation and, if necessary, remediate or mitigate the vulnerability.

Departments should also ensure any vulnerability disclosure program or policy includes a mechanism for escalation should the individual be unsatisfied with the outcome of the disclosure process. Departments may choose to refer individuals to CSU as part of their escalation process.

Departments should not offer compensation to individuals or organisations for disclosing potential or confirmed vulnerabilities outside of authorised bug bounty programs.

Reporting vulnerabilities to vendors

If a department discovers or becomes aware of a vulnerability in the products or services used by the department, an attempt should be made to disclose the vulnerability to the vendor or service provider.

When disclosing a vulnerability to a vendor or service provider, departments should:

• produce a vulnerability report which contains enough information for the vendor or service provider to action the identified vulnerability
• within seven days of the date on which the department discovers or becomes aware of the vulnerability, attempt to establish a secure communication channel with the vendor or service provider
• if the attempt to establish a secure communication channel is successful, provide a copy of the vulnerability report to the vendor or service provider via this channel
• if no response to the attempt to establish a secure communication channel is received within seven days, provide a copy of the vulnerability report to the vendor or service provider via an unsecured channel.

Once the vulnerability has been disclosed to the vendor or service provider, departments should remain in contact with the vendor or service provider. If a vendor or service provider does not respond to communication attempts, the department should continue to attempt to make contact until 60 days after the first failed attempt.

Departments should allow at least 90 days for the vendor or service provider to mitigate or remediate the vulnerability before further action is taken. Where appropriate, departments should work with vendors/service providers to make reasonable adjustments to this timeline. In the case that vendors or service providers take longer than 60 days to respond to a communication attempt regarding the vulnerability disclosure or fail to complete a process to address the disclosed vulnerability within the time period negotiated with the disclosing department (90 days by default), departments are encouraged to notify CSU at cybersecurity@qld.gov.au.