Under President Obama, the feds created this non binding policy document called the Vulnerability Equities Process. This came after Snowden disclosed a long assumed fact that the spy organizations were hoarding bugs to use against whomever they wanted to rather than telling the developers about them so that they could be fixed. Of course, we are hardly alone in doing that. Every country likely does that.
The policy was kind of loose and since it wasn’t a law, people sometimes followed the directive and sometimes didn’t – but of course, we never knew anything about it. It was one of those “We’re from the government, we’re here to help you – trust us”.
Even the government admitted that the policy wasn’t super effective, but nothing changed. This week they rolled out – with not much fanfare (it was released by a mid level White House bureaucrat) – Vulnerability Equities Process 2, the sequel.
One thing this new document did was explain at least some of the process, who is involved and what the guidelines are. It also says that the government needs to report on an annual basis some statistics – how many bugs were hoarded and how many shared with the vendors.
Of course this is still just a policy document, so it really carries very little weight and no penalty at all.
This new document comes on the heels of a Freedom of Information Act LAWSUIT. Maybe just a coincidence, but more likely, the government probably felt more dirty laundry would come out during discovery and trial and if they dribbled out a little bit of information, maybe the lawsuit will go away. Stay tuned on that count.
The board that decides these things consists of representatives from 10 agencies including the CIA, Defense, Justice, Treasury and other agencies.
The board is supposed to consider how broadly the product affected is being used, how easy it might be for someone else like the Chinese to discover the same bug and what the consequences might be if the Chinese, for example, did discover some bug that the government is hoarding.
The new policy says that the executive branch has to generate both a classified and unclassified report to Congress. We will see when the first report happens and what it looks like.
One hole in this policy the size of an 18 wheeler is that if a bug is disclosed to the government by a white or black hat hacker under an NDA (which is pretty common), then they don’t have to go through the process. I guess it would be nice to have a stat on how many bugs slipped through that loophole and whether the government is suggesting to people who want to share a bug with them “hey, I think you should do this under an NSA. Oh, oops, I meant NDA.”
Information for this post came from Dark Reading.