Vulnerabilities Equities Process
The Vulnerabilities Equities Process (VEP) is a U.S. federal government process for determining how the government should treat zero-day computer security vulnerabilities; whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries.[1]
The VEP was developed in the period 2008-2009, but only became public in 2016, when the government released a redacted version of the VEP in response to a FOIA request by the Electronic Frontier Foundation.[2][3]
Following public pressure for greater transparency in the wake of the Shadow Brokers affair, the U.S. government made a more public disclosure of the VEP process in November 2017.[1][4]
Organization
According to the VEP plan published in 2017, the Equities Review Board (ERB) is the primary forum for interagency deliberation and determinations concerning the VEP.[4] The ERB meets monthly, but may also be convened sooner if an immediate need arises.
The ERB will consist of representatives from the following agencies to represent the view of their respective agency head:
- Office of Management and Budget
- Office of the Director of National Intelligence (to include Intelligence Community-Security Coordination Center (IC-SCC))
- United States Department of the Treasury
- United States Department of State
- United States Department of Justice (to include the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force (NCIJTF))
- Department of Homeland Security (to include the National Cybersecurity Communications and Integration Center (NCCIC) and the United States Secret Service (USSS))
- United States Department of Energy
- United States Department of Defense (including the National Security Agency (NSA) (including Information Assurance and Signals Intelligence elements)), United States Cyber Command, and DoD Cyber Crime Center (DC3))
- United States Department of Commerce
- Central Intelligence Agency
The National Security Agency serves as the executive secretariat for the VEP.[4]
Process
According to the November 2017 version of the VEP, the process is as follows:
Submission
When an agency finds a vulnerability, it will notify the VEP secretariat as soon as is possible. The submission will include information describing the vulnerability including identification of the vulnerable products or systems, and the agency's recommendation to either disseminate or restrict the vulnerability information.[4]
Notification
The VEP secretariat will notify all VEP participants of the submission within one business day, requesting them to respond if they have an relevant interest.[4]
Equity and discussions
An agency that claims an equity must indicate whether it concurs with the recommendation to disseminate or restrict within 5 business days.
The primary purpose of sharing among agencies is to gain consensus on recommendations for the ERB. If an agency does not concur with a recommendation to disseminate or restrict, one or more SMEs from the submitting agency will hold discussions with the non-concurring agency or agencies and the VEP Executive Secretariat within 7 business days to reach consensus. If no consensus is reached, the participants will provide options for the ERB.[4]
Determination to disseminate or restrict
Decisions whether to disclose or restrict a vulnerability will be made quickly, in full consultation with all concerned agencies, and in the overall best interest of USG missions of cybersecurity, intelligence, counterintelligence, law enforcement, military operations, and critical infrastructure protection. To the extent possible and practical, determinations to disclose or restrict will be based on repeatable techniques or methodologies that enable benefits and risks to be objectively evaluated by VEP participants. This process employs techniques that include assessment factors such as prevalence, reliance, and severity in accordance with the equity considerations in Annex B. ERB determinations for follow-on actions and next steps should be reached in a timely fashion. When there is consensus among those agencies that claimed an equity, the timeline will be shortened. It is the intent of VEP participants that ERB determinations be made by consensus. If the ERB members cannot reach consensus, they will vote on a preliminary determination. If an agency with an equity disputes the preliminary determination of the ERB, that participant may, by providing notice to the VEP Executive Secretariat, elect to contest the preliminary determination in accordance with Section 5.2.6. If no agency contests a preliminary determination, it will be treated as a final determination.[4]
Handling and follow-on actions
If vulnerability information is released, dissemination will be made in the most expeditious manner and when possible within 7 business days. Disclosure of vulnerabilities submitted for equity review will be conducted according to agreed-upon guidelines that are consistently and responsibly followed by all members. The submitting agency is presumed to be most knowledgeable about the vulnerability and, as such, will be responsible for disseminating vulnerability information to the vendor. If the submitting agency so chooses, it may elect to delegate dissemination responsibility to another agency on its behalf. The releasing agency will promptly provide an information copy of dissemination information to the VEP Executive Secretariat for record keeping. Additionally, the releasing agency is expected to follow-up so the ERB can determine whether the vendor’s action meets USG requirements. If the vendor chooses not to address a vulnerability, or is not acting with urgency consistent with the risk of the vulnerability, the releasing agency will notify the VEP Executive Secretariat, and the USG may take other mitigation steps.[4]
Criticism
The VEP process has been criticised for a number of deficiences, including restriction by non-disclosure agreements, lack of risk ratings, special treatment for the NSA, and less than whole-hearted commitment to disclosure as the default option.[5]
References
- ^ a b Newman, Lily Hay. "Feds Explain Their Software Bug Stash—But Don't Erase Concerns". WIRED. Retrieved 2017-11-16.
- ^ Electronic Privacy Information Center. "EPIC - Vulnerabilities Equities Process". epic.org. Retrieved 2017-11-16.
{{cite web}}:|author=has generic name (help) - ^ "Vulnerabilities Equities Process (VEP)". Electronic Frontier Foundation. 2016-01-18. Retrieved 2017-11-16.
- ^ a b c d e f g h "Vulnerabilities Equities Policy and Process for the United States Government" (PDF). www.whitehouse.gov. November 15, 2017. Retrieved 2017-11-16.
{{cite web}}: Cite has empty unknown parameter:|dead-url=(help) - ^ "The four problems with the US government's latest rulebook on security bug disclosures". Retrieved 2017-11-16.
See also
.svg?lang=en){kind=small} | This United States government–related article is a stub. You can help Wikipedia by expanding it. |
 | This computer security article is a stub. You can help Wikipedia by expanding it. |