The Mozilla Foundation has urged the White House to put in place bug bounties for those who find vulnerabilities in Internet-connected devices, in order that attacks of the sort that hit domain name services provider Dynamic Network Services, otherwise known as Dyn, last week can be avoided.
The foundation's public policy representative Heather West said in a blog post that her organisation backed the calls made by junior US senators Angus King (Independent – Maine) and Martin Heinrich (Democrat – New Mexico) for US President Barack Obama to announce policies for discovery, review and sharing of security flaws.
King and Heinrich have suggested the creation of bug bounty programmes and formalisation of the so-called vulnerabilities equities process (VEP), the US government's process for reviewing and co-ordinating disclosure of vulnerabilities that it discovers or creates.
West did not mention recently discovered flaws in Cisco products that the NSA was apparently aware of, but did not disclose publicly. They were leaked on the Internet by a group that has been claimed to be linked to Russia.
{loadposition sam08}The flaws had been secreted by the Equation Group, an entity that has long been suspected to be an NSA front. The group's retention of flaws without disclosing them to Cisco runs contrary to published US government policy.
Geographical data of the major #DDoS attack against DNS architecture of #Dyn, taking out several big sites. #InfoSec pic.twitter.com/zc7nMkxO9f
— A⃫n⃫i⃫s⃫ (@0xUID) 21 October 2016
In their letter to Obama, King and Heinrich wrote: "The recent intrusions into United States networks and the controversy surrounding the Federal Bureau of Investigation’s efforts to access the iPhone used in the San Bernardino attacks have underscored for us the need to establish more robust and accountable policies regarding security vulnerabilities.”
West said Mozilla was calling for five reforms to the VEP:
- "All security vulnerabilities should go through the VEP and there should be public timelines for reviewing decisions to delay disclosure;
- "All relevant federal agencies involved in the VEP must work together to evaluate a standard set of criteria to ensure all relevant risks and interests are considered;
- "Independent oversight and transparency into the processes and procedures of the VEP must be created;
- "The VEP executive secretariat should live within the Department of Homeland Security because they have built up significant expertise, infrastructure, and trust through existing coordinated vulnerability disclosure programmes (for example, US CERT); and
- "The VEP should be codified in law to ensure compliance and permanence."