The White House recently released new details on the process the US government uses for disclosing zero-day vulnerabilities to vendors, or withholding disclosure for law enforcement or national security operations—called the Vulnerabilities Equities Process (VEP). The new charter for the VEP is available here.
The Administration's cybersecurity team deserves credit for significantly boosting the transparency of the VEP. Until now, few details were publicly confirmed about the VEP, and official sources had only discussed of the VEP in generalities. By comparison, the new VEP charter is quite thorough and provides answers to several key questions, though it remains to be seen how it will operate in practice.
Rapid7 considers it important for the government to have a mature and effective VEP in place because private actors need to know about their vulnerabilities in order to make systems more secure. We recognize that the government has legitimate reasons to identify and exploit cybersecurity vulnerabilities, but the exercise of that power must be balanced with (among other things) the risks of failure of the systems on which we all rely. Greater transparency on the government's process for vulnerability disclosures is helpful to ensure—but not a guarantee—that the process strikes this balance appropriately.
Key details in the VEP charter include:
The charter makes clear that disclosure is the default and stockpiling is not the US government's policy. The charter notes the primary focus of the process is to protect cybersecurity, and that disclosure is in the national interest in the "vast majority" of cases (absent demonstrable, overriding national security or law enforcement interests). [Pg. 1.]
The VEP includes significant consideration non-government interests. The charter reveals a non-exclusive list of considerations to weigh in deciding whether to disclose vulnerabilities. Many of these considerations focus on the interests of civilians, the private sector, and cybersecurity generally, not just law enforcement and national security. There is also some responsibility levied here on industry, as the considerations include the likelihood that vendors would create patches and that system operators would apply them. [Pgs. 13-14]
Decisions against disclosing vulnerabilities to vendors are reviewed at least annually, and immediately in cases of malicious exploitation. [Pg. 8]
As to be expected, the Charter includes areas of ambiguity. For example, the charter includes a broad exception to the VEP for vulnerabilities obtained from partners (such as other nations and commercial arrangements) and those used in "sensitive operations"—a term that is undefined in the charter. [Pg. 9] According to media reports, this exception for sensitive operations was highly controversial within the Administration. In addition, the VEP empowers the US Cybersecurity Coordinator to choose whether and how to report the quantity of vulnerabilities that the government does not disclose. [Pg. 5] Yet the quantity will help indicate whether vulnerability stockpiling is indeed occurring. Obviously it would be unreasonable to expect publication of precise numbers, but the oversight is nevertheless fuzzy here. We will just have to see how these issues play out as the VEP is implemented over time.
We expect the VEP to grow in importance as exploitation of vulnerabilities becomes more routine in law enforcement, intelligence, and military activities. It's also worth noting—as Kate Chartlet, Sasha Romanosky, and Bert Thomson do—that this issue is certainly not confined to the United States. Nations around the world are increasingly likely to identify and use zero-day vulnerabilities. It would be helpful if other countries developed, coordinated, and published their own vulnerability disclosure processes. The articulation of the US government's VEP is a very positive step, but not the final one.