citymeetings.nyc

Your guide to NYC's public proceedings.

QUESTION

What are the details of New York City's first vulnerability disclosure program?

1:12:02

·

171 sec

Video Player is loading.

Current TimeÂ 0:00

DurationÂ 0:00

Loaded: 0%

Stream TypeÂ LIVE

Remaining TimeÂ 0:00

Â

The council member is informed that New York City recently launched its first vulnerability disclosure program (VDP), allowing security researchers to identify and report vulnerabilities in the city's public-facing websites and infrastructure.

The VDP follows industry best practices for vulnerability categorization and remediation
Researchers who discover valid vulnerabilities are recognized on a public portal, without revealing vulnerability details
In its early stages, the VDP has already helped mitigate some vulnerabilities identified by researchers
The city sees partnership with the security industry as crucial for the large-scale VDP's success
Officials anticipate the program will grow exponentially as it continues being promoted

Jennifer Gutiérrez

1:12:02

You mentioned in your testimony the city's first vulnerability disclosure program.

1:12:09

Can you share I know it's fresh, but can you share a little bit more on this kind of, like, on the idea and and Has it worked?

1:12:19

Have you had folks already disclosed?

1:12:21

Is it and you have to educate me?

1:12:22

Is this like an annual disclosure, or is this just as soon as there's an issue staff is available, is able to disclose.

Kelly Moan

1:12:29

Thank you for that question.

1:12:30

We were really proud to launch the VDP program.

1:12:34

Obviously, New York City is is very large.

1:12:36

So endeavoring to launch a VDP of this size was a herculean effort and making sure that we had the appropriate process and procedures in place.

1:12:46

So what's really exciting from a practitioner perspective is that we have security researchers are out there in the community testing independently the software you use at home.

1:12:59

It's part of the reason you get the software updates with secure the updates embedded in them on your home computer.

1:13:04

Right?

1:13:05

And so when they identify that there could be a vulnerability that is located within the city domain infrastructure, more specifically public facing infrastructures or public facing websites that New Yorkers interact with on a daily basis.

1:13:22

They are able to submit the technical details of that exploitation.

1:13:27

That they believe is valid to our team, and we are able to assess whether or not it is in fact valid, and it's in fact fluidible vulnerability or weakness in the system.

1:13:41

And we we find we follow best best in class industry practice for categorization of severity of vulnerability.

1:13:49

And then we work closely with the agency to either put a remediation in place or a mitigation through technical controls.

1:13:57

And then once fixed, we also are able to give a head nod to that security researcher on our public facing portal that says they were able to find something while we don't reveal that, obviously, the specific content of the exploitation for For obvious reasons, we don't want threat actors to actually have insight into those vulnerabilities in particular.

1:14:16

They are able to get an Elite on the website that says they were able to fix things.

1:14:20

And, you know, we've done quite a bit to promote the program, but it is still early on, and it's 10 years.

1:14:25

So we have identified our security researchers have identified a handful of vulnerabilities that have been able to be mitigated, which is a big success for us.

1:14:33

Again, a partnership with the industry, right, large, is paramount because we are so big.

1:14:40

It takes all of us as a team to be working together to to protect and defend And I anticipate that will continue to exponentially grow as the program with engagements such as this continues to be in the public domain.

← Previous Chapter

What has been the effectiveness of the New York City Cyber Critical Services And Infrastructure Project (CCSI) partnership and how is the Office of Technology and Innovation (OTI) involved?

Next Chapter →

How can security researchers submit vulnerabilities they discover?