You have2 free articles left this month.
Register for a free account to access unlimited free content.
You have 2 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

Breaking news and updates daily. Subscribe to our Newsletter
Advertisement

Vulnerability Disclosure Program kept under wraps by NSW government

A UNSW research group submission has unearthed an NSW government cyber security consultation, which could lead to the state developing its first bug bounty program.

Vulnerability Disclosure Program kept under wraps by NSW government
expand image

Cyber Security NSW first unveiled draft plans for a Vulnerability Disclosure Policy last year, revealing that it would be developing one for the NSW government when the consultation was launched in November.

While the consultation was kept under wraps from public eyes, Cyber Security NSW had already discussed the outcomes of a vulnerability disclosure program as part of its Cyber Insights Series.

“Arguably, your greatest strength is understanding your greatest weakness, and moreover, disclosing it — this has particular application in the cyber world,” said former minister Victor Dominello.

The consultation was made public by the UNSW Allens Hub for Technology, Law and Innovation, which commented on a number of aspects of Cyber Security NSW’s Vulnerability Disclosure Policy draft.

The Cyber Security NSW draft sought to introduce protections for those acting in “good faith reporting”.

“Lack of clarity around computer crime legislation leaves those reporting vulnerabilities vulnerable,” they said.

“NSW would benefit from a ‘cyber socket’ to allow organisations to easily create vulnerability disclosure programs that are aligned to the legislation.

“Such assurance would, in turn, lead to a greater number of important vulnerability submissions.”

UNSW said that this may not provide an appropriate level of protection due to the wording of the Crimes Act 1900 (NSW).

Computer offences in the Crimes Act 1900 (NSW) do not involve an agency/entity bringing an action, but rather a prosecution,” it said.

“In that sense, it is not up to the agency whether an action will be brought.”

Instead, UNSW said that the best way to protect those acting in good faith reporting in line with the vulnerability disclosure program would be to introduce a defence that explicitly relates to those acting in good faith.

The Allens Hub submission also found fault with the lack of information entailing how a submitted vulnerability report will be handled.

“In the draft Vulnerability Disclosure Framework, there is no indication of how a vulnerability report will be checked, reviewed, assessed, audited, or remediated,” it added.

A number of tests will also be banned, according to the consultation. UNSW believes that distributed denial-of-service (DDOS), physical attacks and attempts to modify or destroy data should also be added to the list.

UNSW concluded its commentary, saying that the new vulnerability reporting program would increase Cyber Security NSW’s workload dramatically and that it would need to be “adequately resourced” to be effective.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
You need to be a member to post comments. Become a member for free today!

Comments (0)

Cyber Daily Comments
Attach images by dragging & dropping or by selecting them.
The maximum file size for uploads is MB. Only files are allowed.
 
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
Posting as

    newsletter
    cyber daily subscribe
    Be the first to hear the latest developments in the cyber industry.