Vulnerabilities Equities Process

Last updated

The Vulnerabilities Equities Process (VEP) is a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities: whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries. [1]

Contents

The VEP was first developed during the period 2008–2009, but only became public in 2016, when the government released a redacted version of the VEP in response to a FOIA request by the Electronic Frontier Foundation. [2] [3]

Following public pressure for greater transparency in the wake of the Shadow Brokers affair, the U.S. government made a more public disclosure of the VEP process in November 2017. [1] [4]

Participants

According to the VEP plan published in 2017, the Equities Review Board (ERB) is the primary forum for interagency deliberation and determinations concerning the VEP. [4] The ERB meets monthly, but may also be convened sooner if an immediate need arises.

The ERB consists of representatives from the following agencies:

The National Security Agency serves as the executive secretariat for the VEP. [4]

Process

According to the November 2017 version of the VEP, the process is as follows:

Submission and notification

When an agency finds a vulnerability, it will notify the VEP secretariat as soon as is possible. The notification will include a description of the vulnerability and the vulnerable products or systems, together with the agency's recommendation to either disseminate or restrict the vulnerability information.

The secretariat will then notify all participants of the submission within one business day, requesting them to respond if they have an relevant interest. [4]

Equity and discussions

An agency expressing an interest must indicate whether it concurs with the original recommendation to disseminate or restrict within five business days. If it does not, it will hold discussions with the submitting agency and the VEP secretariat within seven business days to attempt to reach consensus. If no consensus is reached, the participants will suggest options for the Equities Review Board. [4]

Determination to disseminate or restrict

Decisions whether to disclose or restrict a vulnerability should be made quickly, in full consultation with all concerned agencies, and in the overall best interest of the competing interests of the missions of the U.S. government. As far as possible, determinations should be based on rational, objective methodologies, taking into account factors such as prevalence, reliance, and severity.

If the review board members cannot reach consensus, they will vote on a preliminary determination. If an agency with an equity disputes that decision, they may, by providing notice to the VEP secretariat, elect to contest the preliminary determination. If no agency contests a preliminary determination, it will be treated as a final decision. [4]

Handling and follow-on actions

If vulnerability information is released, this will be done as quickly as possible, preferably within seven business days.

Disclosure of vulnerabilities will be conducted according to guidelines agreed on by all members. The submitting agency is presumed to be most knowledgeable about the vulnerability and, as such, will be responsible for disseminating vulnerability information to the vendor. The submitting agency may elect to delegate dissemination responsibility to another agency on its behalf.

The releasing agency will promptly provide a copy of the disclosed information to the VEP secretariat for record keeping. Additionally, the releasing agency is expected to follow up so the ERB can determine whether the vendor's action meets government requirements. If the vendor chooses not to address a vulnerability, or is not acting with urgency consistent with the risk of the vulnerability, the releasing agency will notify the secretariat, and the government may take other mitigation steps. [4]

Criticism

The VEP process has been criticized for a number of deficiencies, including restriction by non-disclosure agreements, lack of risk ratings, special treatment for the NSA, and less than whole-hearted commitment to disclosure as the default option. [5]

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

<span class="mw-page-title-main">Australian Signals Directorate</span> Australian signals intelligence agency

The Australian Signals Directorate (ASD), formerly the Defence Signals Directorate, is a statutory agency of the Government of Australia responsible for signals intelligence, providing intelligence support to Australian military operations, conducting cyberwarfare and ensuring information security. The ASD is a part of the larger Australian Intelligence Community, and its role within the so-called Five Eyes intelligence-sharing alliance is to monitor signals intelligence in South and East Asia. The Australian Cyber Security Centre (ACSC) is an agency within the ASD.

<span class="mw-page-title-main">Classified information</span> Material that government claims requires confidentiality

Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance with a need to know. Mishandling of the material can incur criminal penalties.

<span class="mw-page-title-main">United States Intelligence Community</span> Collective term for US federal intelligence and security agencies

The United States Intelligence Community (IC) is a group of separate U.S. federal government intelligence agencies and subordinate organizations that work both separately and collectively to conduct intelligence activities which support the foreign policy and national security interests of the United States. Member organizations of the IC include intelligence agencies, military intelligence, and civilian intelligence and analysis offices within federal executive departments.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

The United States Computer Emergency Readiness Team (US-CERT) was a team under the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

The Invention Secrecy Act of 1951 is a body of United States federal law designed to prevent disclosure of new inventions and technologies that, in the opinion of selected federal agencies, present an alleged threat to the economic stability or national security of the United States.

The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic of classified information beginning in 1951. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.

<span class="mw-page-title-main">CERT Coordination Center</span>

The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with businesses and the government to improve the security of software and the internet as a whole.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

<span class="mw-page-title-main">Sensitive security information</span> Category of information in the US government

Sensitive security information (SSI) is a category of United States sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

<span class="mw-page-title-main">Ari Schwartz</span> American adviser

Ari M. Schwartz is an American cybersecurity and technology policy expert. He is the former Special Assistant to the President and senior director for cybersecurity on the United States National Security Council Staff at the White House, having left the role in October 2015. Previously, Schwartz worked in both the Executive Branch and civil society as on cybersecurity, privacy, civil liberties, and policy. He is an advocate for vulnerability disclosure programs.

<span class="mw-page-title-main">Whistleblower protection in the United States</span>

A whistleblower is a person who exposes any kind of information or activity that is deemed illegal, unethical, or not correct within an organization that is either private or public. The Whistleblower Protection Act was made into federal law in the United States in 1989.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Intelligence Authorization Act for Fiscal Year 2014</span> United States Law

The Intelligence Authorization Act for Fiscal Year 2014 is a U.S. public law that authorizes appropriations for fiscal year 2014 for intelligence activities of the U.S. government. The law authorizes there to be funding for intelligence agencies such as the Central Intelligence Agency or the National Security Agency, but a separate appropriations bill would also have to pass in order for those agencies to receive any money.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit.

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. 1 2 Newman, Lily Hay (November 15, 2017). "Feds Explain Their Software Bug Stash—But Don't Erase Concerns". WIRED. Retrieved November 16, 2017.
  2. "Vulnerabilities Equities Process". epic.org. Retrieved November 16, 2017.
  3. "Vulnerabilities Equities Process (VEP)". Electronic Frontier Foundation. January 18, 2016. Retrieved November 16, 2017.
  4. 1 2 3 4 5 6 7 "Vulnerabilities Equities Policy and Process for the United States Government" (PDF). whitehouse.gov . November 15, 2017. Retrieved November 16, 2017 via National Archives.
  5. McCarthy, Kieren (November 15, 2017). "The four problems with the US government's latest rulebook on security bug disclosures". The Register. Retrieved November 16, 2017.

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.