Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Vulnerability Disclosure Program kept under wraps by NSW government

A UNSW research group submission has unearthed an NSW government cyber security consultation, which could lead to the state developing its first bug bounty program.

user icon Daniel Croft
Thu, 25 May 2023
Vulnerability Disclosure Program kept under wraps by NSW government
expand image

Cyber Security NSW first unveiled draft plans for a Vulnerability Disclosure Policy last year, revealing that it would be developing one for the NSW government when the consultation was launched in November.

While the consultation was kept under wraps from public eyes, Cyber Security NSW had already discussed the outcomes of a vulnerability disclosure program as part of its Cyber Insights Series.

“Arguably, your greatest strength is understanding your greatest weakness, and moreover, disclosing it — this has particular application in the cyber world,” said former minister Victor Dominello.

============
============

The consultation was made public by the UNSW Allens Hub for Technology, Law and Innovation, which commented on a number of aspects of Cyber Security NSW’s Vulnerability Disclosure Policy draft.

The Cyber Security NSW draft sought to introduce protections for those acting in “good faith reporting”.

“Lack of clarity around computer crime legislation leaves those reporting vulnerabilities vulnerable,” they said.

“NSW would benefit from a ‘cyber socket’ to allow organisations to easily create vulnerability disclosure programs that are aligned to the legislation.

“Such assurance would, in turn, lead to a greater number of important vulnerability submissions.”

UNSW said that this may not provide an appropriate level of protection due to the wording of the Crimes Act 1900 (NSW).

Computer offences in the Crimes Act 1900 (NSW) do not involve an agency/entity bringing an action, but rather a prosecution,” it said.

“In that sense, it is not up to the agency whether an action will be brought.”

Instead, UNSW said that the best way to protect those acting in good faith reporting in line with the vulnerability disclosure program would be to introduce a defence that explicitly relates to those acting in good faith.

The Allens Hub submission also found fault with the lack of information entailing how a submitted vulnerability report will be handled.

“In the draft Vulnerability Disclosure Framework, there is no indication of how a vulnerability report will be checked, reviewed, assessed, audited, or remediated,” it added.

A number of tests will also be banned, according to the consultation. UNSW believes that distributed denial-of-service (DDOS), physical attacks and attempts to modify or destroy data should also be added to the list.

UNSW concluded its commentary, saying that the new vulnerability reporting program would increase Cyber Security NSW’s workload dramatically and that it would need to be “adequately resourced” to be effective.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.