This article originally appeared at The WHIR
Despite US government claims that it has “reinvigorated” its vulnerability disclosure policies, the newest relevant policy document for the Office of the Director of National Intelligence (ODNI) is from 2010. A lawsuit filed by the Electronic Frontier Foundation (EFF) to follow up on a freedom on information request has revealed this week that the Vulnerabilities Equities Process (VEP) does not include a single document with the ODNI since then.
In an April 2014 blog post, White House Special Assistant to the President and Cybersecurity Coordinator Michal Daniel explained elements of the government’s vulnerability disclosure policy.
“This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions,” Daniels wrote. Later in the post he added: “We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed.”
The wording of the above statements does not necessarily mean that there is a new policy at all, but rather that the implementation of the old policy has been changed. An EFF post relating the results of its fact-finding suit, however, disputes that claim. Reports on the annual CIA hacker “jamboree,” where software vulnerabilities and exploits are shared, suggest that implementation of the VEP is far from vigorous, according to the EFF.
An official NSA denial of a Bloomberg report that the NSA was aware of the Heartbleed OpenSSL vulnerability is worded even more strongly than Daniel’s claim.
“In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities,” the NSA said.
While the EFF is due to receive documents from the NSA in the next three weeks, “an interagency process” which had been reinvigorated would surely include notice to the ODNI of some change to the VEP. In the absence of any such document, the EFF calls the VEP “vaporware.”
WIRED notes that the ODNI documents provided to the EFF appear also to show that the use of zero-day vulnerabilities to hack Iranian networks came before any vulnerability policy had been created at all.
The US government statements on vulnerability disclosure may have reassured some portion of the public during the height of media attention on software vulnerabilities. However, the EFF and industry stakeholders may now see them more as legalese setting up plausible deniability.