Centre for Internet & Society

This policy brief recommends several changes pertaining to current legislation, policy and practice to the Government of India regarding coordinated vulnerability disclosure (“CVD”) for improving the overarching information and cyber security posture of the country.

Executive Summary

The increasing use and integration of information and communication technologies in most aspects of modern life raises with it the importance of being able to ensure robust security of these systems. This policy brief has been framed under the objective of increasing and enhancing efforts for the development and maintenance of a secure environment within the country.  The brief draws upon knowledge that has been gathered from various sources, including information sourced from newspaper and journal articles, current law and policy, as well as several interviews that we conducted with various members of the Indian security community.

This policy brief touches upon the issue of vulnerability disclosures that are made by individuals to the Government, explores existing problems and makes recommendations as to how the Government’s vulnerability disclosure processes could potentially be improved.

This policy brief also explores the benefits of formalising a Vulnerabilities Equities Process (“VEP”) framework for the Indian context, which the government could adopt for processing and disseminating information about security vulnerabilities and exploits that are brought to their attention by the security community as well as those that are discovered internally by Government departments and agencies like the National Technical Research Organisation (“NTRO”) or the National Critical Information Infrastructure Protection Centre (“NCIIPC”).

Key takeaways from the research include:

  • There is a noticeable lack of transparency in current vulnerability disclosure programmes and processes;
  • There is an observable gap in communication between hackers and the Government, as well as a lack of proper outreach carried out by Government entities;
  • Problematic legislative instruments (including several sections of the IT Act) directly disincentivise security research;
  • There are several low hanging fruit which can be addressed in order to strengthen the overarching information and cyber security architecture of India.

The policy brief can be accessed here

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.