See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada

Executive Summary

Ill-intentioned actors are rapidly developing the technological means to exploit vulnerabilities in the web assets, software, hardware, and networked infrastructure of governments around the world. Numerous jurisdictions have adopted the policy approach of facilitating coordinated vulnerability disclosure (CVD) as one means to better secure the public sector’s systems, through which external security researchers are provided a predictable and cooperative process to disclose security flaws for patching before they are exploited. Canada is falling behind its peers and allies in adopting such an approach.

A global scan of vulnerability disclosure policy approaches indicates that 60 percent of G20 member countries provide distinct and clear disclosure processes for vulnerabilities involving government systems, with many providing clarity regarding the disclosure process and expectations for security researchers regarding communication and acceptable activity. The Netherlands and the US are particularly leading the way when it comes to providing comprehensive policy and pragmatic solutions for external vulnerability disclosure, acting as a learning model for Canada. Both countries have also begun to provide explicit legal clarification regarding acceptable security research activity, particularly in the context of coordinated vulnerability disclosure.

In Canada, there exists no legal or policy framework regarding security research and vulnerability disclosure done in good faith; that is, done with the intent and in such a way to repair the vulnerability while causing minimal harm. Absent this framework, discovering and disclosing vulnerabilities may result in a security researcher facing liability under the Criminal Code, as well as potentially the Copyright Act, if exemptions do not apply. Whistleblower legislation in Canada generally would also not apply to vulnerability disclosure except in very limited, specific instances.

Further, Canada’s Centre for Cyber Security— and its parent agency the Communications Security Establishment — currently have practices and policies that may discourage people from disclosing vulnerabilities and, on top of this, are also opaque about how such vulnerabilities are handled.

The cumulative effect of this approach in Canada means that there is no straightforward or transparent path for a person wishing to responsibly disclose a security vulnerability found in the computer systems used by the Government of Canada — resulting in possible non-disclosure, public disclosure before remediation, or otherwise enabling the use of security vulnerabilities by attackers in ways that could jeopardize the security of Canada’s computer systems and the people that they serve.

In light of these findings, we advocate for the following three policy solutions in Canada to remedy these gaps:

1. Canada needs a policy framework for good faith vulnerability discovery
   and disclosure;
2. Canada should carefully implement coordinated vulnerability disclosure
   procedures for the federal government’s computer systems, and draw on
   emerging best practices as it does so; and
3. Vulnerabilities disclosed to the government from external actors should be
   kept separate from the government’s handling of vulnerabilities uncovered
   internally in the course of Canada’s defensive and offensive intelligence
   efforts.

This report seeks to help the Government of Canada adapt to meet the challenges posed by digital transformation, and the security threats that come with rapid technological development and deployment. While far from providing exhaustive solutions, this report begins to identify both policy gaps and pragmatic solutions that can harness the skillset of security researchers and professionals who find and responsibly disclose security flaws in government websites, software, hardware, IoT devices, and critical infrastructure before attackers do.