Skip to content

See Something, Say Something: Coordinating the Disclosure of Security Vulnerabilities in Canada

June 2021

See Something, Say Something

Authors

User

Yuan Stevens

User

Stephanie Tran

User

Ryan Atkinson

Sam Andrey

Sam Andrey


Contributors

  • Karim Bardeesy
  • Sumit Bhatia
  • Zaynab Choudhry
  • Charles Finlay
  • Braelyn Guppy
  • Sharan Khela
  • Mohammed (Joe) Masoodi


Tags


Share

Executive Summary

Ill-intentioned actors are rapidly developing the technological means to exploit vulnerabilities in the web assets, software, hardware, and networked infrastructure of governments around the world. Numerous jurisdictions have adopted the policy approach of facilitating coordinated vulnerability disclosure (CVD) as one means to better secure the public sector’s systems, through which external security researchers are provided a predictable and cooperative process to disclose security flaws for patching before they are exploited. Canada is falling behind its peers and allies in adopting such an approach.

A global scan of vulnerability disclosure policy approaches indicates that 60 percent of G20 member countries provide distinct and clear disclosure processes for vulnerabilities involving government systems, with many providing clarity regarding the disclosure process and expectations for security researchers regarding communication and acceptable activity. The Netherlands and the US are particularly leading the way when it comes to providing comprehensive policy and pragmatic solutions for external vulnerability disclosure, acting as a learning model for Canada. Both countries have also begun to provide explicit legal clarification regarding acceptable security research activity, particularly in the context of coordinated vulnerability disclosure.

In Canada, there exists no legal or policy framework regarding security research and vulnerability disclosure done in good faith; that is, done with the intent and in such a way to repair the vulnerability while causing minimal harm. Absent this framework, discovering and disclosing vulnerabilities may result in a security researcher facing liability under the Criminal Code, as well as potentially the Copyright Act, if exemptions do not apply. Whistleblower legislation in Canada generally would also not apply to vulnerability disclosure except in very limited, specific instances.