ACLU: Feds should offer rewards for finding cybersecurity flaws

ACLU: Feds should offer rewards for finding cybersecurity flaws

The American Civil Liberties Union is calling on federal officials to make it easier for people to report security flaws in government computer systems, including by offering rewards.

The group told the Department of Commerce Internet Policy Task Force in a letter Wednesday to provide financial incentives for security researchers who bring flaws to the government's attention. Such rewards are common practice at large tech firms.

“For far too long, researchers who discovered a security vulnerability have had to make a difficult choice: do the right thing — by telling the company responsible for the software or warning the general public — or sell the vulnerability, often to a government, which would then quietly exploit that flaw for its own gain,” the group said in its letter.


“In an effort to disrupt this shadowy grey market and to provide some financial reward to researchers who notify the responsible vendor or developers, some leading technology companies have created 'bug bounty' programs.”

The civil liberties group noted that the U.S. government often pays researchers for vulnerabilities so that federal law enforcement can exploit them — but does not offer payment for simply notifying developers about flaws in their work.

“In spite of the billions of dollars spent annually by the U.S. government on cybersecurity, we are not aware of any U.S government agency that has established a bug bounty program intended to reward researchers who find flaws in U.S. government systems and websites,” the letter said.

The group also asked the task force to recommend that government agencies publish the contact information for their security teams and implement policies to assure researchers they will not face legal troubles if they report a vulnerability.

“It is imperative that government agencies and companies take every possible measure to both protect the security of their systems and websites,” the group said, “and to improve the process of computer security vulnerability disclosure in order to encourage the reporting of exploitable programming flaws and design mistakes.”