After more than a year of legal wrangling, the federal government has agreed to hand over its policy on vulnerability use and disclosure. The government had said that the policy was classified and too sensitive to release, but relented late last week and sent the document to the EFF, albeit a heavily redacted version.
Know as the Vulnerabilities Equities Process, the document outlines the criteria that the government uses when deciding whether to keep information about vulnerabilities discovered by the government or its contractors private. The 13-page policy applies to a variety of hardware and software, including government-built systems, commercial systems, SCADA systems, and ICS systems.
“USG entities shall appropriately classify and/or designate for special handling, in accordance with their own department/agency classification guidance and policy, vulnerabilities discovered by the USG or by non-USG entities under contracts with the USG, or disclosed to the USG by the private sector or foreign allies prior to entry into this process,” the VEP document says.
“In some circumstances, information may be unclassified yet designated as Protected Critical Infrastructure Information (PCII) and will be afforded protection under the DHS PCII rules and programs. The designation or classification may be formally changed during the process. Classification decisions may necessarily identify information as Protected Critical Infrastructure Information (PCII) requiring special handling. The fact that à vulnerability exists, and the risk information relating to a vulnerability, will be classified in accordance with applicable national security classification guidelines.”
The EFF last year filed legal action against the National Security Agency and Office of the Director of National Intelligence last summer, seeking the release of the VEP. Government officials have discussed the policy several times publicly, but in specific terms. Last year, White House officials said that the government typically leans toward disclosing vulnerability information, but not in every case.
“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” Michael Daniel, special assistant to the president and cybersecurity coordinator, wrote in a blog post last year.
The version of the document released last week has many large sections that are redacted, including the specific steps that agencies go through when evaluating whether to release information about a newly discovered vulnerability. The EFF said that the release of the VEP is an important step, but doesn’t show the whole picture, given the redactions.
“There are still some important blank spots in the document. Details of the process remain redacted, although the surrounding information sheds more light on which components of the government are involved, and how vulnerabilities make it into review. Notably, the office within the NSA responsible for overseeing the VEP ‘[m]aintains records of all vulnerabilities that have been identified’ and produces an annual report,” Andrew Crocker, a staff attorney at the EFF, said in a blog post.
Government use of zero day vulnerabilities for law enforcement and intelligence purposes has become a controversial practice, particularly in the wake of the Snowden revelations. Privacy advocates and security researchers have been asking for more information about how the government handles the discovery and use of zero days, and this is the first real look at the details of that process.