To this aim, the city announced a new vulnerability disclosure program this week, intended to provide a clear and streamlined way to securely submit vulnerability findings.
“Generally, it shouldn’t be hard to report a potential vulnerability to city government,” Moan said.
The program was developed in partnership with testing platform Synack and provides an online submission form as well as rules of engagement and guidance. On the back end, Cyber Command receives and validates the findings, informing relevant agencies so they can remediate the issues.
The program is largely aimed at security researchers, but anyone who believes they’ve found something within scope of the program is encouraged to submit.
“You might stumble on something when navigating our sites,” Moan said.
Screenshot
Per program rules, researchers shouldn’t ask for compensation for the discoveries or time and materials. But Moan said researchers will be credited on the website for their findings. And they’ll get to see if they discovered something genuine that helped the city prevent a potential incident.
The rules of engagement warn researchers to avoid publicly disclosing vulnerabilities before the city has fixed them as well as to avoid testing in ways that might disrupt systems or violate privacy. Moan said the city has not had issues with harmful testing and that the rules are standard in this space.
The program covers all systems “within NYC public IP space,” and all websites or web applications under nyc.gov or cityofnewyork.us domains, plus any websites and web applications displaying a notification that they participate in the Vulnerability Disclosure Program, per the rules.
Moan said she hopes to release statistics next year about the number of findings researchers submitted and how many were remediated.
