Italy plans ‘responsible disclosure’ cyber security policy

Programme to allow hackers to break into government systems and privately report flaws.

The Italian Government will create a national policy for responsible disclosure of security threats found by hackers. “We have begun discussions with CERT Nazionale and CERT-PA to define and publish a national policy for responsible disclosure,” staff from the government’s Digital Transformation Team wrote in a blog post. Under such policies, “ethical hackers” look for bugs in the government’s software and report potential flaws privately to the authorities. The hackers would disclose details of the bugs only once the problem has been solved. In December, for example, an 18-year-old reported to the government bugs in one of its payment software. The company that developed the software was then able to plug the weakness and release an updated version within a few hours, according to the digital team. The teenager later published a blog about his experience after the problems were solved. Responsible disclosure policies are widely used by software companies which encourage hackers to report weaknesses. The Italian team plans to learn from such existing programmes. “Instead of creating a framework from scratch, we will compare the technical strategies of successful institutions to create the best normative framework possible,” it said. When hackers are paid to find such flaws and reporting them privately, the programmes are called “bug bounties”. Italy may also eventually launch a bug bounty, it added. “[We] believe that those who are able to identify a problem and communicate it in a timely and private manner – disclosing the details only once the problem has been solved – should be compensated,” it wrote. The US Department of Defence launched a bug bounty programme called ‘Hack the Pentagon’ in April last year. 1,400 vetted hackers were invited to break into US government systems, helping to resolve 138 security issues. Drafts of any new policies created on responsible disclosures and bug bounties “will be publicly shared so we can discuss them with those who are interested”, the team added.