This fall, the White House is due to release its first transparency report on the Vulnerabilities Equities Process, the interagency process by which the government decides whether it will retain knowledge of a security vulnerability for future spying purposes or disclose it to the software or device manufacturer so that it may be fixed.
The VEP’s charter does not say what this report will contain, only that it will go to the National Security Council, possibly Congress, and given the requirement for an unclassified summary, theoretically the public, too.
While the federal IT world and the wider public waits for this new information, it is important to understand what the VEP process does and does not require, and the many disclosure decisions federal agencies get to make before the VEP process even comes into play.
However, there is very little public information about how the VEP process works, and it is possible that agencies are unilaterally deciding to disclose vulnerabilities under their own internal policies at a rate that actually dwarfs the importance of the VEP itself.
There are three ways to avoid the VEP altogether, and of them is for an agency to disclose a vulnerability that is actively being exploited or poses an immediate risk to government or other systems. The VEP charter repeatedly mentions each agency’s ability to single-handedly determine that notification is necessary and that the interagency process is “not intended to prevent the USG [US Government] from taking immediate actions to protect its network(s) or warn entities actively threatened by a malicious cyber event, including ongoing unauthorized access to information systems.”
It also states that, “Vulnerabilities identified through security researcher activity and incident response that are intended to be disclosed in a rapid fashion will not be subject to adjudication by the VEP.” It is therefore incredibly important how each agency structures its own disclosure policy.
What Is a Full Disclosure Policy?
Some have advocated that the government adopt full disclosure policies, and there does not appear to be any legal prohibition on agencies adopting them. In practice, “full disclosure” involves the immediate publication of a vulnerability without any delay for any reason.
Some proponents of full disclosure argue that this facilitates security self-defense, so that users of the vulnerable device or service can mitigate the damage without the assistance of the manufacturer or software provider.
They also argue that publication of all vulnerabilities allows users to make informed purchasing decisions on the front end, and may have the effect of shaming vendors into fixing immediate problems and building better products over the long run.
What Would a Governmental Full Disclosure Policy Look Like?
Full disclosure comes with risks that the government would have to at least attempt to mitigate. First, the government would have to find a way to immediately mitigate harm to its own systems if they include the flaw. Since a full disclosure policy would not permit the government to get a head start on securing its devices and data before going public with the vulnerability, it necessitates an entire infrastructure for rapid response.
Admittedly, some of this would exist in current government IT processes that update software and respond to known vulnerabilities within 30 days of notification or discovery. But one would expect the scale of agency rapid response would have to grow substantially to handle the work necessary to play defense.
The government would also have to radically rethink the services it offers the private sector and consumers at large. While a single researcher may feel no responsibility for the consequences of instant disclosure under a full disclosure policy, the U.S. government certainly would — and, in fact, should. Government agencies like the Department of Homeland Security and the Commerce Department have developed educational materials targeting small businesses and individuals, for example, but the government would assume an entirely different scale of responsibility for helping those who will be affected by increased vulnerability publication.
It would take a gargantuan effort to rapidly and systemically change technology literacy at the scale necessary to fairly help consumers and users.
What Is a Responsible Disclosure Policy?
Another approach is responsible disclosure or coordinated disclosure. It is widely accepted as a way to balance the competing interests of the vulnerability maintainers and the users of the products.
Under responsible disclosure, the vendor is notified and given a reasonable chance to cure the defect before public release of the vulnerability. However, other entities can be selectively notified to permit system defense, monitoring or preparation for later patching.
An ideal responsible disclosure process results in patching a vulnerability before it can be exploited, and, if appropriate, permits some set of actors to mitigate risk in the meantime.
A somewhat controversial but high-profile example of this process is the handling of the Spectre and Meltdown vulnerabilities in January. Researchers at Google found a flaw in processors made by Intel, AMD and ARM Holdings. After notifying the chipset makers about the vulnerabilities, the companies and other major tech sector actors spent six months working on a coordinated response and patching plan.
There is still debate over whether that timeframe was too long or if all the right entities were included in response planning, but it represents how responsible disclosure policies can encourage coordination to minimize the disruption of devices and services.
Does the Government Use Responsible Disclosure Policies?
We do not have a fully transparent view into how agencies handle vulnerabilities, but the government is encouraging its agencies to adopt responsible disclosure policies as part of their overall cybersecurity planning. The National Institute for Standards and Technology updated its widely praised Cybersecurity Framework — the risk analysis and mitigation guidance designed for federal agencies — to include responsible disclosure this year.
It certainly does not appear that any agency has a categorical adoption of vulnerability publication or secrecy, so they are necessarily operating in the responsible disclosure policy space in between. President Donald Trump’s 2017 cybersecurity executive order has compelled agencies to use the NIST framework, so agencies will be considering how to build out these programs in the near future.
While the VEP will continue to attract attention and the imaginations of security commentators, more attention should be paid to what agencies are doing under their unilateral authority to disclose vulnerabilities.
Whether and how an agency adopts a full disclosure or responsible disclosure policy may say more about how our government operates in the vulnerability ecosystem than the more infamous VEP process in the long run.