Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Ricardo Arroyo
Ricardo Arroyo
Connect Directly
E-Mail vvv

How the US Chooses Which Zero-Day Vulnerabilities to Stockpile

When it comes to acceptable circumstances for government disclosure of zero-days, the new Vulnerabilities Equity Process might be the accountability practice security advocates have been waiting for.

Where do you stand in the debate over whether governments should stockpile vulnerabilities? Some believe that regardless of its utility, the practice of keeping software vulnerabilities secret affects all users and they should be disclosed no matter the circumstances. On the other side of the argument are those who believe zero-days are a matter of national security and that if a vulnerability gives us an edge in warfare or intelligence gathering, it should be kept secret.

And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities. Ultimately, this group believes we need to take an approach that's less binary and more circumstantial, factoring in both the pros and cons of the practice and how they change based on the situation and conditions at hand.

Did you know the US government has a process in place to do exactly that? It's called the Vulnerabilities Equity Process (VEP), defined as "a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities, whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries." The VEP was developed in the late 2000s in response to a public outcry against the stockpiling of zero-day vulnerabilities. It was initially kept secret until the Electronic Frontier Foundation received redacted documentation through a Freedom of Information Act (FOIA) request in 2016. After the disclosure of the ShadowBrokers in mid-2017, the White House released an updated version of the VEP to the public in an attempt to improve transparency around the process. Let's explore how it works.

Today's VEP Process
The process is run with the authority of the White House and is led by both a representative from the National Security Agency (NSA), under the direction of the secretary of defense, as the executive secretariat, and the president's cybersecurity coordinator as the director. Other participants include representatives from 10 government agencies that comprise the Equities Review Board.

The process dictates an exchange between organizations that discover these vulnerabilities, the secretariat and the members of the Equities Review Board. During this exchange, vulnerabilities are disclosed to the group so each member can claim equity (for example, explaining "Here's how this vulnerability affects me"). This claim kicks off a round of discussion between the reporter and equity claimants to determine whether or not to recommend disclosing or restricting the vulnerability. The final decision to accept the recommendation or come up with alternatives is made by consensus of the Equities Review Board. Once a disclosure decision is made, the dissemination happens within seven days. Once you add up the time frames, the entire end-to-end process from discovery to dissemination can take anywhere from a week to one month, which is fast for a US government process.

The VEP also requires an annual report that includes statistical data on the process and its outcomes throughout the year. The report requires an unclassified executive summary at a minimum. The first reporting period closed on September 30, 2018, so we should expect an annual report soon.

Gaps and Exceptions
This process is by no means perfect. Between accommodations for the timetable, varying nondisclosure action options, and the complex back-and-forth between organizations, there is potential for our government to simply maintain the old status quo and fall short of the level of transparency for which the VEP was intended to deliver. A recent report outlined a solid list of issues associated with the process (you can read the original article here), which includes the following factors:

  1. NDAs and other agreements. The VEP is subject to legal restrictions against disclosing things such as nondisclosure agreements, memoranda of understanding, and other agreements between foreign or private sector partners. This opens up the possibility for both partners to hide behind these agreements in order to prevent disclosure.
  2. Lack of Risk Rating. The industry rates vulnerabilities by severity based on many factors. The VEP does not mandate any such rating. The absence of this kind of categorization or ranking process could result in false statistics at the end of the year. For example, the VEP could publicly state that it disclosed 100 vulnerabilities this year, but without context those could all be low-risk threats that have very little impact to the private sector.
  3. NSA Leadership. Considering the fact that the NSA is likely the greatest equity holder, as well as the most experienced in dealing with vulnerabilities, it comes as no surprise that a representative from the NSA was chosen as the secretariat. This position allows the largest equity holder the most power in this process.
  4. Alternative to Disclosure. While public disclosure is the default, other options include: disclosing mitigation information but not the vulnerability itself, limited use by our government, disclosing to US allies at a classified level, and indirect disclosure to the vendor. Many of these options keep the vulnerability a secret, negating the benefit that disclosure would bring.

Lack of Transparency
In addition to this list, there doesn't seem to be any private sector oversight built into the process. One of the issues I always find when arguing about zero-days is trust. The individual who believes vulnerabilities should always be disclosed for the betterment of security will rarely accept the response of an insider stating: "We can't because it's worth keeping secret." With the 10 agencies in the Equities Review Board including both the Department of Commerce and Department of Homeland Security, one could assume it is their responsibility to keep the private sector in mind. This does little to ease the mind of the security advocate, as these are positions appointed by the executive branch.

I believe the government should include a private sector review board of select industry representatives and cybersecurity experts who can hold a security clearance. These board members could review the outcomes of the VEP process on a monthly or quarterly basis. I believe that security advocates would be more willing to accept the response "We can't because it's worth keeping secret" if they hear it from a widely accepted industry expert as well as from the government.

Related Content:


Ricardo Arroyo, senior technical product manager and ThreatSync guru, is responsible for guiding the design and implementation of threat detection and response at WatchGuard Technologies.  Following a 15-year career at the NSA, where he worked as an analyst and cyber ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/26/2019 | 2:33:26 AM
Selective disclosure
What I reckon is happening is that the government is keeping all these secrets in storage for fear that if the data got out, that the hackers would be able to replicate what's been going on. They would have to be very careful what  information to release if they're going to disclose any of it at all!
User Rank: Apprentice
1/25/2019 | 2:27:16 AM
Staying neutral is best
I guess the I belong in the third group as well because every scenario would often come with its own pros and cons. It is not entirely up to us alone to weigh in on whether or not the vulnerabilities should indeed be kept in a secret storage or be let out in the open. Instead, we need to analyze on the given situation at that exact moment in time to see which solution suits best.
User Rank: Strategist
1/17/2019 | 9:19:02 AM
> "And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities."
> implies only third group understand both
> proceeds to show that the third group clearly doesn't, as they support a government weaponizing zero-days at the expense of the citizens for its own personal gain

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-21
The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fails to properly authenticate some requests to its built-in HTTPS interface. Someone can use this vulnerability to obtain sensitive information from the system, such as usernames and passwords. This information can then be used to reconfig...
PUBLISHED: 2021-04-21
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any...
PUBLISHED: 2021-04-21
The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency.
PUBLISHED: 2021-04-21
An issue was discovered in retdec v3.3. In function canSplitFunctionOn() of ir_modifications.cpp, there is a possible out of bounds read due to a heap buffer overflow. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution.
PUBLISHED: 2021-04-21
An issue was discovered in Bento4 through v1.6.0-637. A NULL pointer dereference exists in the function AP4_StszAtom::GetSampleSize() located in Ap4StszAtom.cpp. It allows an attacker to cause Denial of Service.