ll-intentioned actors are rapidly developing the technological means to exploit vulnerabilities in the web assets, software, hardware, and networked infrastructure of governments around the world. Numerous jurisdictions have adopted the policy approach of facilitating coordinated vulnerability disclosure (CVD) as one means to better secure the public sector’s systems, through which external security researchers are provided a predictable and cooperative process to disclose security flaws for patching before they are exploited. Canada is falling behind its peers and allies in adopting such an approach.

A global scan of vulnerability disclosure policy approaches indicates that 60 percent of G20 member countries provide distinct and clear disclosure processes for vulnerabilities involving government systems, with many providing clarity regarding the disclosure process and expectations for security researchers regarding communication and acceptable activity. The Netherlands and the US are particularly leading the way when it comes to providing comprehensive policy and pragmatic solutions for external vulnerability disclosure, acting as a learning model for Canada. Both countries have also begun to provide explicit legal clarification regarding acceptable security research activity, particularly in the context of coordinated vulnerability disclosure. 

Authors: Stevens, Y., Tran, S., Atkinson, R., Andrey, S.  |  June 2021