BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

Section 1. Amend Chapter 90C, Title 29, Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:

Chapter 90C Department of Technology and Information.

Subchapter III Vulnerability Coordination Policy

§9001C Definitions.

(1)     "Security Researcher" means any person who, voluntarily and by their own assessments, discovers a vulnerability in computer software utilized by the State and informs the vendor of said vulnerability in an effort to improve the security of the State-utilized software and prevent data breaches.

(2)     "Vendor" means any corporation, company, or entity who develops, sells, licenses, or supplies software to the State of Delaware.

§9002C Vendor requirements.

(a)     Vendor must publicly publish a method/procedure by which they will receive security vulnerability reports (e.g. security@DOMAIN_NAME.com email address or web form submission)

(b)     Vendor must enumerate included products and scope (can be domains or product names), at minimum, including any vendor software component used by the State of Delaware

(c)     Vendor must list prohibited testing methods (enumerated such that testing is assumed allowed unless otherwise stated). Examples include:

(1)     No Denial of Service [DOS] attacks.

(2)     No automated scanners without prior consent.

(3)     No extremely low-risk reports, .e.g logout CSRF [cross site request forgery].

(4)     No "destructive actions" including but not limited to unauthorized access, deletion, or creation resulting in disruption of normal service to live system users.

§9003C Vendor obligations.

(a)     Burden of exemptions: vendor is responsible for clearly defining types of reports that are invalid and/or do not qualify for remediation.

(b)     Prioritize vulnerability reports based on severity, impact to users.

(c)     Minimal response time of two business days to researcher reports.

(d)     No legal action will be sought provided researcher follows above terms.

§9004 Security Researcher obligations.

(a)     Cooperation with vendor is expected until disclosure date.

(b)     No "early" public disclosure.

(c)     No extortion of reported bugs for compensation or selling reported vulnerability.

(d) No testing of enumerated prohibited testing methods - otherwise legal action immunity is no longer guaranteed.

§9005C Public disclosure.

All reported vulnerabilities are subject to a 90-day deadline (vulnerabilities are only publicly disclosed following a released patch or if 90 days have passed without an available patch).

SYNOPSIS

AUTHOR: Senator Cloutier