Suggestions on "Consequences of complying with this policy" #96
Description
I applaud the directive's emphasis on the inclusion of authorization "safe harbor" language. Such language is an essential but often overlooked component of a successful vulnerability disclosure policy. A few comments on the existing language from the provided VDP Template:
(1) The provided VDP template instructions strongly encourages the implementing agency not modify the provided authorization language. This is perhaps a necessary balance but there is an opportunity here for CISA to standardize this essential language for consistency across government. Could you consider making specific authorization language mandatory?
(2) The provided VDP template authorization language includes a phrase that appears to be unrelated to authorization. Recommend striking "we will work with you to understand and resolve the issue quickly" from this section. It is perhaps better suited under "What you can expect from us".
(3) The provided VDP template authorization language does not make a commitment to defend security researchers against vexatious or frivolous litigation. The DoJ's framework suggests: If legal action is initiated by a third party against a party who complied with the vulnerability disclosure policy, the organization will take steps to make it known, either to the public or to the court, that the individual’s actions were conducted in compliance with the policy.
Two suggested variations for your consideration.
Adapted from the existing VDP Template:
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. {Agency Name} will not recommend or pursue legal action related to your authorized research and will make this authorization known should legal action be initiated by a third party against you.
Adapted from Dropbox:
{Agency Name} consider activities conducted consistent with this policy to constitute “authorized” conduct. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. If legal action is initiated by a third party against you, we will take steps to make it known that your actions were conducted in compliance with this policy.