EFF Reveals US Government Policy on Disclosing Software Vulnerabilities

Published: September 4, 2015 9:37 PM /


EFF logo

In a very small step toward government transparency, the EFF has obtained access to the US government's Vulnerabilities Equity Process. This document represents the official policy on how US intelligence agencies are to respond when they discover security vulnerabilities in software. In some cases, they may act in the best interest of the public and disclose those vulnerabilities so that software companies can patch them. In other cases, they may keep quiet about the security holes in order to exploit them in the future, leaving the users vulnerable to malicious attacks. The version of the VEP received by the EFF is redacted in some places, which does undermine this victory a bit, but there is still some information to be gleaned from it. The VEP can be viewed online here.

A year ago, the EFF filed suit under the Freedom of Information Act, to gain access to the VEP. Initially the government insisted that the entire document was classified and could not be revealed. Although the government has in the past insisted that its policy strongly favors public disclosures, these reassurances don't mean much if the government won't publicly reveal what its official policy is. However, the government appears to have had a change of heart regarding the VEP. Just weeks before the lawsuit was going reach court, the government provided the redacted VEP to the EFF, despite its initial reluctance.

Although fairly substantial portions of the document are redacted, there are a few interesting details to be gathered. It appears as though an office within the NSA is central to this process, and has been designated the Executive Secretariat for the process. The Executive Secretariat facilitates information flow between different departments, as well as maintaining records of the process, and delivering an annual report.

The policy is focused on things that are not publicly known, utilizing a broad definition. If it is basically out there on the internet or trade journal, the government considers it publicly known and doesn't go through this process. However, for older vulnerabilities found before this program began there is no need to disclose vulnerabilities to the group or to the public, although they may do so if they wish.  It also lists several government entities which may submit vulnerabilities to be considered in this process such as: Departments of State, Justice, Homeland Security, Treasury, Commerce, and Energy, and the Office of the Director of National Intelligence. Others may also be involved in the redacted sections

Despite the redactions, the EFF is counting this a victory, although it is a small one. Right now, the EFF is still analyzing the document, as well as considering whether or not to challenge the redactions in court.

Should the government be more open with its policy on whether to disclose software vulnerabilities? Leave your comment below.


Have a tip, or want to point out something we missed? e-mail us at [email protected] or join us on Discord!