EFF has won a battle in its fight to get the government to disclose its policy for deciding whether to tell the public about critical flaws in software when it finds out about them. Last year, we filed suit under the Freedom of Information Act to obtain the so-called Vulnerabilities Equities Process (VEP). At first, the government told us the document was entirely classified, but just weeks before we were set to challenge those claims in court, it relented. We received the VEP late last night, right before the long weekend.
Our interest in the VEP and the core concern over the government’s knowledge and use of “zero-days” and other vulnerabilities is that they often exist in products that are used widely by the general populace. If the government chooses to keep a vulnerability secret for intelligence purposes, for example, it does not notify the developer, which would likely otherwise issue a patch and protect users from online adversaries such as identity thieves or foreign governments who may also be aware of the zero-day. That’s why the US government’s written policy on what to do with zero-days is so important.
It’s worth noting that it took more than a year of litigation to get access to a single document that government officials have publicly talked about on multiple occasions, including in an interview with Wired. What’s more, these officials reassured the public that the policy is intended to strongly favor public disclosure of vulnerabilities, even listing some of the specific considerations that go into those decisions. And yet, when initially faced with our FOIA suit, the government said the process was too secret to release even a word. That’s not transparency.
There are still some important blank spots in the document. Details of the process remain redacted, although the surrounding information sheds more light on which components of the government are involved, and how vulnerabilities make it into review. Notably, the office within the NSA responsible for overseeing the VEP “[m]aintains records of all vulnerabilities that have been identified” and produces an annual report.
We don’t know how this process squares with the government’s claims that in the vast majority of cases it discloses vulnerabilities to the public rather than holding on to them for intelligence or law enforcement purposes. We’re still digesting the document and deciding whether we want to challenge any of the remaining redactions. We’ll have more soon.