Maryland creates vulnerability disclosure program, expands ISAC statewide
Maryland’s top cybersecurity official on Tuesday announced on social media that the state has launched a vulnerability disclosure program, providing white-hat hackers an official avenue to share security issues they discover on the state’s websites and other online properties.
The state joins a small club of government organizations outside of the federal government to run such a program. California has run a VDP for several years, as has New York City. Ohio Secretary of State Frank LaRose runs one for the state’s election-related websites.
James Saunders, Maryland’s acting chief information security officer, said his state’s new program, which is supported by the bug bounty firm Bugcrowd, is “probably the most aggressive” in the nation.
“That’s the beauty of our VDP. We’re covering our executive branch, we’re covering our locals, we’re covering all the units of government so that we can protect and get some insight into vulnerabilities before a threat actor takes advantage of them,” Saunders said.
Christopher Krawiec, the state’s director of cyber resilience, said the program originated with Lance Cleghorn, Maryland’s director of state cyber security, who spent three years at the Defense Digital Service at the Department of Defense. Krawiec said it was “a passion project” of Cleghorn’s to launch a VDP in the state.
There are others at the Maryland Department of Information Technology who may also have been inclined to see the sense in a VDP. Saunders spent seven years in the federal government, at the Office of Personnel Management and the Small Business Administration, before joining the state. Katie Savage, Maryland’s chief information officer, also served several years at the Defense Digital Service before taking her current role.
At federal agencies, VDPs have been required since a 2020 directive from the Cybersecurity and Infrastructure Security Agency noted that reporting vulnerabilities can be “frustrating” for reporters when federal agencies haven’t published clear policies. CISA noted that without clear policies, reporters might not know the right way to report bugs, and if they do report one, they may not know if it’s being fixed, and, perhaps most saliently, they may (rightly) fear legal action.
“To many in the information security community, the federal government has a reputation for being defensive or litigious in dealing with outside security researchers,” the CISA directive read. “Compounding this, many government information systems are accompanied by strongly worded legalistic statements warning visitors against unauthorized use.”
In 2021, Mike Parson, then Missouri’s governor, accused a newspaper reporter who had discovered a security flaw on a public website of “hacking” the state’s sensitive data and threatened him and his colleagues with legal action. Several months later, the governor backed down and said he would not pursue legal charges, but not before stirring much acrimony and confusion.
Saunders said his state’s VDP is intended to put all good-faith contributors on the same team, “Team Maryland,” and pointed out that there are many bad actors afoot who have clearly chosen “Team Not-Maryland.”
“I think this is a huge culture play,” Saunders said. “I’m pretty sure you’ve heard 1,000 times cybersecurity is a team sport — this is rooted in that, in a sense. We’re taking the collective knowledge of everyone in Maryland, across the United States, potentially globally, as well, so that if they see something they can say something, without concerns of negative reprisals.”
Krawiec, Maryland’s cyber resilience director, said the state VDP’s safe harbor clause is its cornerstone.
“It basically says if you operate in good faith and engage with us for a responsible disclosure … then we will consider your work good faith and we will not pursue legal action against you,” he said. “And if someone else pursues legal action against you, then we will make the authorization of that activity known.”
Maryland ran a bug bounty program last year, over the course of a month, which yielded more than 40 new vulnerabilities. But unlike a bug bounty program, which usually has a limited scope or timeframe, the state’s VDP is here to stay, Krawiec said.
On top of Maryland’s VDP, Saunders announced that the state is also expanding its threat-intelligence organization. A directive issued last week requires all government organizations throughout the state to enroll in the Maryland Information Sharing and Analysis Center — from state agencies down to counties, K-12 schools, boards and commissions. The requirement will further expand, in six months, to include participation by critical infrastructure operators and technology vendors.
Saunders said expanding the MD-ISAC is “critically important” because rapidly sharing information is the lifeblood of cybersecurity defense, “especially against attackers who are leveraging AI and other automation capabilities.” This directive, he said, will “raise the floor” of the state’s cybersecurity resilience.
