See Something, Say Something? The State of Coordinated Vulnerability Disclosure in Canada’s Federal Government

Back to the list of Speakers and Sessions
Watch the stream
Countries around the world like the US, the UK and the Netherlands have all adopted coordinated vulnerability disclosure (CVD) frameworks to better secure government computer systems. CVD is an approach to vulnerability disclosure that provides good faith external security researchers a procedure for disclosing security flaws. However, the topic has largely remained understudied and underutilized in the Canadian context, leaving federal government institutions potentially more vulnerable in the face of internal and external threat actors. This talk identifies best practices and the policy frameworks needed to harness the efforts of security researchers who find and disclose security flaws in Canada’s federal government software, web applications, and potentially hardware, vehicles and critical infrastructures before adversaries do.

Our research confirms that Canada is falling behind when it comes to the use of transparent and clear CVD frameworks in comparison to jurisdictions across the globe. Numerous federal laws, including criminal and copyright legislation, may also have a chilling effect on security research in Canada, with deficient whistleblowing protection laws that could otherwise protect people who disclose security vulnerabilities. Our work identifies the need for increased transparency and explicit regulation in Canada’s current approach to vulnerability disclosure at the federal level.