The White House releases details on its vulnerability disclosure process
The White House has released an updated version of its Vulnerability Equity Process (VEP), an internal procedure according the which the government decides which software vulnerabilities it will disclose to vendors, and which it will withhold for its own use in cyber-attacks. While VEP was developed over several years since 2008, previous versions were largely classified and have raised numerous concerns by the private and civil sector. The updated version still has some parts classified – namely, the annex related to the exceptions due to restrictions by partner agreements and sensitive operations – yet the other parts are now unclassified. Justifying the existence of VEP and acknowledging the increased transparency about it, Rob Joyce, the White House Cybersecurity Coordinator, emphasised several guiding principles the government needs to respect: taking into account the interests of all stakeholders, accountability of the process and those who operate it, and informed and vigorous dialogue. Joyce reported that the government discloses more than 90% of the vulnerabilities it finds; yet Edward Snowden warned that the 10% withheld could be the most harmless. The improved version of VEP responds to criticism of some experts, such as Bruce Schneier, on the previous version, and now includes detailing of departments and agencies involved in the process, the criteria for decisions, mechanisms for objections by involved institutions, and issuing annual reports with at least an executive summary made public. The concerns remain, however, that the non-disclosed vulnerabilities could be leaked and again cause global havoc, as the WannaCry ransomware did, Wired reports.