vulnerabilities equities process

Trump administration picks new leader for Vulnerabilities Equities Process board

Posted on June 21, 2018 by Chris Bing

The White House has selected a new leader to head a secretive government group that helps decide which software vulnerabilities should be kept for intelligence gathering purposes or widely released to the public. National Security Council (NSC) senior director Grant Schneider has been named chair of the Vulnerability Equities Process (VEP) board, a National Security Council spokesperson told CyberScoop. Schneider is also currently serving as the acting federal chief information security officer. His appointment comes as recent White House cybersecurity coordinator Rob Joyce left 1600 Pennsylvania Avenue in May. He is now serving as a senior adviser at the National Security Agency. Joyce was instrumental in a public charter released last year that brought transparency to the process, by which the U.S. government determines to either withhold or disclose information to tech companies about newly discovered flaws in their software. The charter originally named Joyce as the head of the multi-agency […]

The post Trump administration picks new leader for Vulnerabilities Equities Process board appeared first on Cyberscoop.

Continue reading Trump administration picks new leader for Vulnerabilities Equities Process board→

US intelligence can’t break vulnerability hoarding habit

Posted on November 20, 2017 by Taylor Armerding

Vulnerabilities: keep them secret as a weapon against the bad guys or tell the world so we can all get patched? Continue reading US intelligence can’t break vulnerability hoarding habit→

White House Releases VEP Disclosure Rules

Posted on November 16, 2017 by Tom Spring

The White House released a charter document on Wednesday outlining how the U.S. government will disclose cyber security flaws and when it will keep them secret. Continue reading White House Releases VEP Disclosure Rules→

White House unveils process behind disclosing software vulnerabilities

Posted on November 15, 2017 by Greg Otto

The White House has released a charter that will give more clarity and bring more transparency to the vulnerabilities equities process, the course by which the U.S. government determines to either withhold or disclose information to tech companies about flaws in their software. The charter lays out the core considerations taken into account by the U.S. government when a vulnerability is in its possession, weighing “the benefit to national security and the national interest when deciding whether to disclose or restrict knowledge of a vulnerability.” “Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests,” reads the charter, which was released Wednesday. “The new VEP Charter balances those interests in a way that is repeatable and defensible, and its publication will bolster the confidence of the American people as we continue to carry out […]

The post White House unveils process behind disclosing software vulnerabilities appeared first on Cyberscoop.

Continue reading White House unveils process behind disclosing software vulnerabilities→

Why reforming the Vulnerability Equities Process would be a disaster

Posted on May 22, 2017 by Dave Aitel

When the authors of WannaCry turbo-charged their ransomware with NSA exploits leaked by the Shadow Brokers, people thought it was the Vulnerability Equities Process’ worst-case scenario. It’s really not. The VEP is the policy process the U.S. government undertakes when one of its agencies finds a new software vulnerability. It’s how the government decides whether to tell the manufacturer about the bug, so they can patch it and keep all their customers safe; or to keep it secret and stealthily employ it to spy on foreign adversaries who use that software. In the wake of Shadow Brokers dumping several sets of highly advanced NSA hacking tools online — many using previously unknown vulnerabilities — there have been rising demands for reform of the VEP. Lawmakers have got in on the act, pledging to legislate the process with the Protecting Our Ability to Counter Hacking, or PATCH Act of 2017. But […]

The post Why reforming the Vulnerability Equities Process would be a disaster appeared first on Cyberscoop.

Continue reading Why reforming the Vulnerability Equities Process would be a disaster→

Should the government stockpile zero day software vulnerabilities?

Posted on May 19, 2017 by Shaun Waterman

Storm clouds are rising over the U.S. government’s policy on software flaw disclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process. Under the VEP, U.S. officials weigh the benefits of disclosing a newly discovered flaw to the manufacturer — which can issue a patch to protect customers — or having the government retain it for spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said. “We disclose something like 90 percent of the vulnerabilities we find,” said Richard Ledgett, who retired April 28 as the NSA’s deputy director. “There’s a narrative out there that we’re sitting on hundreds of zero days and that’s just not the case,” he told Georgetown University Law Center’s annual cybersecurity law institute. […]

The post Should the government stockpile zero day software vulnerabilities? appeared first on Cyberscoop.

Continue reading Should the government stockpile zero day software vulnerabilities?→

PATCH Act Calls for VEP Review Board

Posted on May 18, 2017 by Michael Mimoso

The PATCH Act proposes the formation of a review board that would formalize and make transparent the processes by which the government determines whether it will use or disclose a zero-day vulnerability. Continue reading PATCH Act Calls for VEP Review Board→

Lawmakers introduce bill to shine spotlight on government hacking stockpile

Posted on May 18, 2017 by Chris Bing

A bipartisan bill introduced in Congress Wednesday aims to add transparency to a controversial oversight framework currently used by federal agencies known as the Vulnerabilities Equities Process. The legislation, as it’s currently written, would help better define exactly when and if the U.S. government should notify a company about flawed computer code they discover in one of their products. Named the Protecting Our Ability to Counter Hacking Act, or PATCH Act, the bill seeks to codify the VEP into law; answering some of the tough questions that surround the current framework, including who sits on the multi-agency review board responsible for decisions and when public disclosure is appropriate. In addition, the PATCH Act offers a brief decision-making criteria and broadly describes certain considerations that must be weighed by board members, including the Secretary of Commerce and the Directors of National Intelligence. Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory […]

The post Lawmakers introduce bill to shine spotlight on government hacking stockpile appeared first on Cyberscoop.

Continue reading Lawmakers introduce bill to shine spotlight on government hacking stockpile→

WikiLeaks dump reignites debate over feds hoarding zero days

Posted on March 8, 2017 by Shaun Waterman

The document dump by anti-secrecy group WikiLeaks that identifies alleged CIA hacking tools has reopened a vigorous debate about whether the U.S. government should secretly stockpile cyber-weapons. Critics say the publication of source code for the CIA cyber-weapons would be a cybersecurity disaster akin to the release of anthrax from a government laboratory — and are calling for a new policy. Defenders of U.S. policy say there is already a process in place to weigh the risks any time the government decides to keep a newly discovered software vulnerability to itself and weaponize it, rather than sharing it with the vendor so it can be fixed. And a former White House official tells CyberScoop that U.S. agencies should be reaching out to the manufacturers of the products CIA hackers owned to help them fix the holes they have been using. “Time is of the essence,” former White House Cybersecurity Coordinator J. Michael Daniel, told CyberScoop. In a blog […]

The post WikiLeaks dump reignites debate over feds hoarding zero days appeared first on Cyberscoop.

Continue reading WikiLeaks dump reignites debate over feds hoarding zero days→

Software vulnerability disclosures by NSA will continue under Trump, officials say

Posted on February 21, 2017 by Chris Bing

The disclosure process that governs how and when federal agencies should tell tech firms about flawed computer code is in no immediate danger of termination under the Trump administration, current and former U.S. officials said. Flawed code by its very nature offers vulnerabilities that can be targeted by hackers. Knowledge of these vulnerabilities — especially those […]

The post Software vulnerability disclosures by NSA will continue under Trump, officials say appeared first on Cyberscoop.

Continue reading Software vulnerability disclosures by NSA will continue under Trump, officials say→