[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6735 Introduced in House (IH)]

<DOC>






115th CONGRESS
  2d Session
                                H. R. 6735

      To direct the Secretary of Homeland Security to establish a 
  vulnerability disclosure policy for Department of Homeland Security 
               internet websites, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 7, 2018

 Mr. McCarthy (for himself, Mr. Hurd, Mr. Langevin, and Mr. Ratcliffe) 
 introduced the following bill; which was referred to the Committee on 
                           Homeland Security

_______________________________________________________________________

                                 A BILL


 
      To direct the Secretary of Homeland Security to establish a 
  vulnerability disclosure policy for Department of Homeland Security 
               internet websites, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. DEPARTMENT OF HOMELAND SECURITY DISCLOSURE OF SECURITY 
              VULNERABILITIES.

    (a) Vulnerability Disclosure Policy.--The Secretary of Homeland 
Security shall establish a policy applicable to individuals, 
organizations, and companies that report security vulnerabilities on 
Department of Homeland Security public internet websites that shall 
include--
            (1) the information technology to which the policy applies;
            (2) the conditions under which parties may legally operate 
        to discover and report security vulnerabilities;
            (3) how individuals, organizations, and companies should 
        disclose discovered security vulnerabilities to the Department;
            (4) the communication that parties that report security 
        vulnerabilities should expect from the Department; and
            (5) how the Department will disclose, or how parties that 
        report security vulnerabilities may disclose, reported security 
        vulnerabilities.
    (b) Remediation Process.--The Secretary shall develop a process for 
the Department of Homeland Security to address how the Department will 
mitigate or remediate security vulnerabilities reported through the 
policy developed in subsection (a).
    (c) Consultation.--In developing the security vulnerability 
disclosure policy under subsection (a), the Secretary shall consult 
with--
            (1) the Attorney General regarding how to ensure that 
        individuals, organizations, and companies that comply with the 
        requirements of the policy developed under subsection (a) are 
        protected from prosecution under section 1030 of title 18, 
        United States Code, civil lawsuits, and similar provisions of 
        law with respect to specific activities authorized under the 
        policy;
            (2) the Secretary of Defense and the Administrator of 
        General Services regarding lessons that may be applied from 
        existing vulnerability disclosure programs; and
            (3) non-governmental security researchers.
    (d) Public Availability.--The Secretary shall make the policy 
developed under subsection (a) publicly available.
    (e) Submission to Congress.--
            (1) Not later than 90 days after the date of the enactment 
        of this Act, the Secretary shall submit to Congress the policy 
        required under subsection (a) and the remediation process 
        required under subsection (b).
            (2) Not later than one year after creating the policy 
        required under subsection (a) the Secretary shall submit a 
        report to Congress, and annually thereafter for each of the 
        next three years, the Secretary shall brief Congress with the 
        following information with respect to the policy required under 
        subsection (a) and the process required under subsection (b):
                    (A) the number of unique security vulnerabilities 
                reported;
                    (B) the number of previously unknown security 
                vulnerabilities mitigated or remediated;
                    (C) the number of unique parties that reported 
                security vulnerabilities; and
                    (D) the average length of time between the 
                reporting of security vulnerabilities and mitigation or 
                remediation of such vulnerabilities.
    (f) Definitions.--In this section--
            (1) the term ``security vulnerability'' has the meaning 
        given that term in section 1501 of title 6, United States Code, 
        in information technology; and
            (2) the term ``information system'' has the meaning given 
        that term by section 3502 of title 44, United States Code.
                                 <all>