See something, say something? Coordinating the disclosure of security vulnerabilities in Canada’s infrastructure

Abstract

Ill-intentioned actors are rapidly developing the means to exploit vulnerabilities in the software and infrastructure of governments around the world. Numerous jurisdictions now facilitate coordinated vulnerability disclosure for such public systems, providing good faith security researchers a predictable and cooperative process to disclose security vulnerabilities for patching before they are exploited. This study identifies that Canada may be falling behind its global peers by failing to implement such reporting procedures. It indicates the need for a straightforward vulnerability disclosure and remediation path involving federal systems, linked to improved legal frameworks and government policies for security vulnerability discovery and disclosure in Canada and beyond.