Jump to content

Vulnerabilities Equities Process

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Salgup (talk | contribs) at 05:23, 8 June 2018. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Vulnerabilities Equities Process (VEP) is a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities; whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries.[1]

The VEP was first developed during the period 2008-2009, but only became public in 2016, when the government released a redacted version of the VEP in response to a FOIA request by the Electronic Frontier Foundation.[2][3]

Following public pressure for greater transparency in the wake of the Shadow Brokers affair, the U.S. government made a more public disclosure of the VEP process in November 2017.[1][4]

Participants

According to the VEP plan published in 2017, the Equities Review Board (ERB) is the primary forum for interagency deliberation and determinations concerning the VEP.[4] The ERB meets monthly, but may also be convened sooner if an immediate need arises.

The ERB consists of representatives from the following agencies:

The National Security Agency serves as the executive secretariat for the VEP.[4]

Process

According to the November 2017 version of the VEP, the process is as follows:

Submission and notification

When an agency finds a vulnerability, it will notify the VEP secretariat as soon as is possible. The notification will include a description of the vulnerability and the vulnerable products or systems, together with the agency's recommendation to either disseminate or restrict the vulnerability information.

The secretariat will then notify all participants of the submission within one business day, requesting them to respond if they have an relevant interest.[4]

Equity and discussions

An agency expressing an interest must indicate whether it concurs with the original recommendation to disseminate or restrict within five business days. If it does not, it will hold discussions with the submitting agency and the VEP secretariat within seven business days to attempt to reach consensus. If no consensus is reached, the participants will suggest options for the Equities Review Board.[4]

Determination to disseminate or restrict

Decisions whether to disclose or restrict a vulnerability should be made quickly, in full consultation with all concerned agencies, and in the overall best interest of the competing interests of the missions of the U.S. government. As far as possible, determinations should be based on rational, objective methodologies, taking into account factors such as prevalence, reliance, and severity.

If the review board members cannot reach consensus, they will vote on a preliminary determination. If an agency with an equity disputes that decision, they may, by providing notice to the VEP secretariat, elect to contest the preliminary determination. If no agency contests a preliminary determination, it will be treated as a final decision.[4]

Handling and follow-on actions

If vulnerability information is released, this will be done as quickly as possible, preferably within seven business days.

Disclosure of vulnerabilities will be conducted according to guidelines agreed on by all members. The submitting agency is presumed to be most knowledgeable about the vulnerability and, as such, will be responsible for disseminating vulnerability information to the vendor. The submitting agency may elect to delegate dissemination responsibility to another agency on its behalf.

The releasing agency will promptly provide a copy of the disclosed information to the VEP secretariat for record keeping. Additionally, the releasing agency is expected to follow-up so the ERB can determine whether the vendor’s action meets government requirements. If the vendor chooses not to address a vulnerability, or is not acting with urgency consistent with the risk of the vulnerability, the releasing agency will notify the secretariat, and the government may take other mitigation steps.[4]

Criticism

The VEP process has been criticized for a number of deficiencies, including restriction by non-disclosure agreements, lack of risk ratings, special treatment for the NSA, and less than whole-hearted commitment to disclosure as the default option.[5]

1. There is a massive NDA Loophole

The US govt’s decision to disclose or restrict vulnerability information could be subject to restrictions by foreign or private sector partners of the USG, such as Non-Disclosure Agreements, Memoranda of Understanding, or other agreements that constrain USG options for disclosing vulnerability information. While it is important to note that there may be restrictions, legal and otherwise, on disclosing vulnerabilities, this part of the policy potentially allows organizations seeking to sell technical details on security holes to block disclosure by concocting an NDA.[6]

2. There is no rating of risk

Typically software vulnerabilities are rated according to how potentially dangerous they are. Microsoft, for example, has four ratings of severity: low, moderate, important and critical. This is useful to system admins who know whether to focus on a patch immediately or leave it a for a more convenient time. A rating system also allows a broader assessment of what and how many vulnerabilities are being disclosed. But there is no mention of ratings in the VEP policy. As such, others will have to assess how significant a bug is – which seems like an unnecessary additional delay, especially since there is no way that the US government does not apply its own internal severity rating. It is going to be hard to assess whether this new policy is actually achieving much without ratings: the NSA could publicly disclose 999 low and medium risk holes, and still keep five critical ones classified.[7]

3. The NSA gets special treatment

The NSA serve as the executive secretariat of the VEP and so coordinate everything, and it also gets control of anything that impacts its own equipment. If a vulnerability is found in GOTS [Government off-the-shelf] equipment or systems that were certified by NSA, or in any cryptographic function, whether in hardware or software, certified or approved by NSA, then the vulnerability will be reported to NSA as soon as practical. NSA will assume responsibility for this vulnerability and submit it formally through the VEP Executive Secretariat.[8]

4. There are various other options

Even though disclosure is put forward as a default, the policy provides lots of other options instead of public disclosure. The US government's determination as to whether to disseminate or restrict a vulnerability is only one element of the vulnerability equities evaluation process and is not always a binary determination. Other options that can be considered include disseminating mitigation information to certain entities without disclosing the particular vulnerability, limiting use of the vulnerability by the USG in some way, informing US and allied government entities of the vulnerability at a classified level, and using indirect means to inform the vendor of the vulnerability.[9]

5. Subjectivity

In practice, deciding whether to disclose or use a vulnerability actually requires determining two things: (1) Will the vulnerability be used? (2) Is the vulnerability too dangerous? If the vulnerability will not be used—perhaps it cannot be reliably exploited or does not provide a capability useful for the US government—then the balance obviously tips towards disclosure. [Note: Even here, the “bias towards disclosure” may be less than strategic: vulnerabilities are often linked together and it is important to have backups.] If the vulnerability is “too dangerous”—for example, a vulnerability in software used often in the United States but rarely by US adversaries—then the balance likewise tips towards disclosure. The problem arises for those cases where it is not clear at the outset whether a vulnerability will be used or that it poses a clear risk—and for everything in the middle the questions quickly become rather subjective. How dangerous is too dangerous? How tenuous can a claim the US “might need” a vulnerability be before it becomes too speculative? How great does a risk that a given adversary finds a vulnerability need to be before the balance tips to disclosure?[10]



References

  1. ^ a b Newman, Lily Hay (2017-11-15). "Feds Explain Their Software Bug Stash—But Don't Erase Concerns". WIRED. Retrieved 2017-11-16.
  2. ^ Electronic Privacy Information Center. "Vulnerabilities Equities Process". epic.org. Retrieved 2017-11-16. {{cite web}}: |author= has generic name (help)
  3. ^ "Vulnerabilities Equities Process (VEP)". Electronic Frontier Foundation. 2016-01-18. Retrieved 2017-11-16.
  4. ^ a b c d e f g "Vulnerabilities Equities Policy and Process for the United States Government" (PDF). www.whitehouse.gov. November 15, 2017. Retrieved 2017-11-16. {{cite web}}: Cite has empty unknown parameter: |dead-url= (help)
  5. ^ McCarthy, Kieren (15 November 2017). "The four problems with the US government's latest rulebook on security bug disclosures". The Register. Retrieved 2017-11-16.
  6. ^ https://www.theregister.co.uk/2017/11/15/us_governments_vulnerability_disclosure_policy/?page=2. {{cite news}}: Missing or empty |title= (help)
  7. ^ https://www.theregister.co.uk/2017/11/15/us_governments_vulnerability_disclosure_policy/?page=2. {{cite news}}: Missing or empty |title= (help)
  8. ^ https://www.theregister.co.uk/2017/11/15/us_governments_vulnerability_disclosure_policy/?page=2. {{cite news}}: Missing or empty |title= (help)
  9. ^ https://www.theregister.co.uk/2017/11/15/us_governments_vulnerability_disclosure_policy/?page=2. {{cite news}}: Missing or empty |title= (help)
  10. ^ https://www.lawfareblog.com/everything-you-know-about-vulnerability-equities-process-wrong. {{cite news}}: Missing or empty |title= (help)

See also


Stub icon

This United States government–related article is a stub. You can help Wikipedia by expanding it.

Stub icon

This computer security article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Vulnerabilities_Equities_Process&oldid=844932940"