NSW gov quietly consulting on bug bounty program
Details of a closed NSW government cyber security consultation have emerged, via a submission published by a UNSW research group.
The consultation was launched late in 2022, accompanied by a draft framework for the operation of a mooted NSW government vulnerability disclosure framework.
In November, Cyber Security NSW said the “NSW Government’s first vulnerability disclosure policy … is currently being developed by Cyber Security NSW.”
Cyber Security NSW has not, however, made the consultation documents public.
According to a submission [pdf] published by the UNSW Allens Hub for Technology, Law and Innovation, the consultation covers how infosec researchers could be given legal safe harbour; how NSW should handle reports that fall outside the definition of “good faith research”; and response timeframes.
UNSW Allens Hub said as well as defining “good faith research” in a vulnerability disclosure policy, the NSW government would probably need to make amendments to the Crimes Act, “to explicitly provide that good faith participation in a vulnerability disclosure program is taken to be authorised”.
Similarly, UNSW Allens Hub suggests the draft framework define “how a vulnerability report will be checked, reviewed, assessed, audited, or remediated.
“The policy template mentions a restriction on public disclosure by a security researcher ‘until the reported issues have been validated and remediated’,” the submission stated.
The researchers also suggest that any vulnerability reporting system implemented by the NSW government should pass reports both to the agency whose system had the vulnerability, and Cyber Security NSW (in case the agency is unresponsive).
The submission also reveals that the consultation document lists what kinds of tests would be forbidden if the policy were put into place, since UNSW Allens Hub suggests additions to the list: denial-of-service attacks, physical attacks, and attempts to modify or destroy data should be excluded.
A NSW Department of Customer Service confirmed that it’s a closed consultation.
The spokesperson told iTnews: “Cyber Security NSW is engaged in closed consultation with Cyber Insights Series attendees and additional federal and state government entities.
“As part of consultation, Cyber Security NSW is considering options for a standard entryway for reports, and is evaluating how a vulnerability disclosure framework could support the new NSW Cyber Security Policy.
“Cyber Security NSW is also awaiting the release of the 2023-2030 Australian Cyber Security Strategy to determine any requirements relating to vulnerability disclosure programs ahead of providing policy options to the NSW Government for consideration.”