This year has been an interesting one for infosecurity in India. Major infrastructure services — from identity to payment services — have gone online. This is also the reason why there is a lot of conversation happening around general and operational security. But what’s lacking is talk around missing guidelines to report security issues in India.
In the absence any public guidelines or discussions, I tweeted to major infrastructure providers and institutions responsible for cybersecurity like @IndianCert, @NCPI_NCPI, @UPI_NCPI, @GoI_MeiTY,@_DigialIndia, @SecretaryMEITY, @UIDAI, etc, asking them for the process of reporting vulnerabilities and a secure way of contacting them. None of them replied, except for @UIDAI, and its reply seemed like a standard social media message, asking me to send the query through Twitter direct message. Institutions like India CERT have a mandate to provide a single-point contact for reporting and be available 24×7. But they are unresponsive and don’t have any guidelines for the reporters.
The National Critical Information Infrastructure Protection Centre (NCIIPC) was created by the Government of India with a mission “To take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorised access, modification, use, disclosure, disruption, incapacitation or distraction through coherent coordination, synergy and raising information security awareness among all stakeholders.”
The NCIIPC is responsible only for critical infrastructure, and not for any public or private organisation. Even though it has PDF forms to report vulnerabilities or incidents, it’s targeted towards vendors and not towards ethical hackers or security researchers. It also doesn’t have a publicly available policy which defines what process will be followed after reporting or what kind of legal protections are provided to security researchers.
Most public institutions don’t have processes or policies in place for handling responsible disclosure. They need guidelines that they can use to set up such a process and policy to communicate with stakeholders.
Wikipedia has a very concise definition of “responsible disclosure”: “Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.”
A responsible disclosure policy defines the process for the stakeholders to communicate with each other, fix the issue and communicate to a larger public
Its high time that the NCIIPC, CERT and MEity come together with other stakeholders to draft responsible disclosure policy guidelines for India. This will help a lot of government and private organisations to come up with their own policies. It will also encourage individual security researchers report incidents or vulnerabilities and help to strengthen the digital infrastructure of India.
Read other articles by Thejesh GN.