In a very small step toward government transparency, the EFF has obtained access to the US government’s Vulnerabilities Equity Process. This document represents the official policy on how US intelligence agencies are to respond when they discover security vulnerabilities in software. In some cases, they may act in the best interest of the public and disclose those vulnerabilities so that software companies can patch them. In other cases, they may keep quiet about the security holes in order to exploit them in the future, leaving the users vulnerable to malicious attacks. The version of the VEP received by the EFF is redacted in some places, which does undermine this victory a bit, but there is still some information to be gleaned from it. The VEP can be viewed online here.
A year ago, the EFF filed suit under the Freedom of Information Act, to gain access to the VEP. Initially the government insisted that the entire document was classified and could not be revealed. Although the government has in the past insisted that its policy strongly favors public disclosures, these reassurances don’t mean much if the government won’t publicly reveal what its official policy is. However, the government appears to have had a change of heart regarding the VEP. Just weeks before the lawsuit was going reach court, the government provided the redacted VEP to the EFF, despite its initial reluctance.
Although fairly substantial portions of the document are redacted, there are a few interesting details to be gathered. It appears as though an office within the NSA is central to this process, and has been designated the Executive Secretariat for the process. The Executive Secretariat facilitates information flow between different departments, as well as maintaining records of the process, and delivering an annual report.
Despite the redactions, the EFF is counting this a victory, although it is a small one. Right now, the EFF is still analyzing the document, as well as considering whether or not to challenge the redactions in court.
Should the government be more open with its policy on whether to disclose software vulnerabilities? Leave your comment below.