Despite the best efforts of any organization there will sometimes be security vulnerabilities that leak into production products and services. When they are identified, hopefully it is by someone with good intentions. Having a responsible disclosure process helps us prepare for that scenario.
The responsible disclosure process should help a security researcher (or other individual that has identified a vulnerability) know who to contact to report what they have found, how they can send details of the vulnerability securely, and what the lottery will do upon receipt of a vulnerability report. It should also help the lottery plan how they will respond.
There are actually two new controls on responsible disclosure. L.5.1.8 is for lottery operators and S.1.2.6 is for suppliers of lottery gaming systems such as central gaming systems, independent control systems, random number generators, and similar.
Once the process has been determined by the lottery, best practice would be to publish the details of the process on the lottery website and to also create a security.txt file in line with the draft internet standard (details at https://securitytxt.org).
Hopefully this new control will give players, regulators, retailers, and other stakeholders confidence that if other controls fail, and a security vulnerability does make it into production, there is a robust and timely process in place to respond.
By David Boda, Head of Information Security for Camelot and member of the WLA SRMC
