
SELECTED PROJECT 2021
Strategy for reporting vulnerabilities to strengthen information security standards in the public sector
PURPOSE
To improve existing information security (infosec) standards in the public sector through the co-creation of a platform that allows reporting of computer vulnerabilities in public systems. This will allow public authorities to respond and correct breaches or failures after vulnerabilities are identified.
OBJECTIVE
A diagnosis will be prepared that identifies current legal penalties for reporting vulnerabilities in Argentina and Latin America.
Based on the diagnosis, we will co-create, in conjunction with relevant actors in the field, a road map of legal and technical guarantees with the aim of enabling reports in an environment that guarantees the security of the information collected while preserving the anonymity of those who provide the information. In addition, we will seek legitimization of the proposal by the Argentine National State, jointly defining protocols for the transmission of reports that formalize and guarantee the continuity of public-private cooperation.
We intend to include the infosec community in all phases of the project and to promote responsible digital citizenship.

CONTEXT
The pandemic increased the State’s demand for digital systems. Many were implemented in a race against the clock, without the necessary safeguards to guarantee the security and privacy of the public’s sensitive data.
In this context, raising awareness of the risks of the technologies implemented by the public sector is essential to safeguarding the public’s sensitive data.
However, with the current legislation, investigators who report computer vulnerabilities are usually exposed to criminal prosecution. This creates a situation that makes it impossible to demand accountability for rights to privacy and freedom of expression. In practice, the lack of an anonymous and legal way to report vulnerabilities is a restriction on fundamental rights, such as freedom of expression and access to information.
The consolidation of reporting systems, with a guarantee of anonymity and prior legal audit, is essential for defending our digital rights.
The current legal framework deepens social inequalities and the most vulnerable groups—most of them holders of social policies that require digitization of their data—are the least protected, due to both their dependence on state systems and their lack of access to justice in general and to digital education. In this sense, the project seeks to help build a digital civic culture.
Exposure of the public to possible computer attacks or use of their personal data for unauthorized purposes, it’s a consequence that could result from not addressing this topic

Expected results benefitting the population:
- Creation of a platform for safe reporting of vulnerabilities, that ensures the anonymity of those who make the reports.
- Ensuring legal coverage of those who report vulnerabilities
- Creating a space for cooperation between the infosec community and public authorities.
- Formal proposal of legitimized, formalized mechanisms for referring complaints made by the infosec community to the National State.
- Strengthening civic participation spaces on matters related to information security of digital assets created.
- Disseminating the platform in civil society and among legal and IT operators.