Category Archives: vulnerability equities process or VEP

Study: Zero days rediscovered much faster

Posted on by

New research from Harvard suggests that the freshly discovered software flaws called zero day vulnerabilities are independently rediscovered much faster than previously thought. The rediscovery rate has big implications for U.S. cybersecurity policy because it would change the calculation officials make when deciding whether to reveal zero days discovered by U.S. agencies so they can be fixed, or keep them secret so they can be used to spy on foreign adversaries and in other cyber-operations. “If the rediscovery rate is this high, the number of vulnerabilities [secretly retained] for operational use should be lower or subject to more aggressive scrutiny,” said Trey Herr a post-doctoral fellow at the Belfer Center at Harvard. Herr, along with security guru Bruce Schneier and Christopher Morris, a research assistant from the Harvard school of engineering, published their findings this week after a lengthy peer-review process, and will present them at the Black Hat USA conference in Las Vegas next week. […]

The post Study: Zero days rediscovered much faster appeared first on Cyberscoop.

Continue reading Study: Zero days rediscovered much faster

Bill reforming NSA hacking policy has skeptics in White House

Posted on by

The Trump administration has concerns about a proposed reform of the policy process the U.S. government uses when deciding how to handle newly discovered software vulnerabilities known as zero days, White House Cybersecurity Coordinator Rob Joyce told a meeting of tech leaders in Boston this week. The vulnerability equities process, or VEP, is how government officials decide whether to disclose such flaws to the software manufacturer, so they can be patched and all users made safe; or to secretly keep it and use it to spy on U.S. adversaries. Former officials said the process needs overhauling and lawmakers dropped a bill to codify it — the Protecting our Ability To Counter Hacking, or PATCH, Act. The bill would codify the VEP into law, establishing a review board that would publish guidelines explaining the basis for its decisions. Joyce, addressing the launch of CyberMA, a Massachusetts affiliate of the national CyberUSA initiative on Monday, said Trump administration officials were engaging with […]

The post Bill reforming NSA hacking policy has skeptics in White House appeared first on Cyberscoop.

Continue reading Bill reforming NSA hacking policy has skeptics in White House