Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Ricardo Arroyo
Ricardo Arroyo
Connect Directly
E-Mail vvv

How the US Chooses Which Zero-Day Vulnerabilities to Stockpile

When it comes to acceptable circumstances for government disclosure of zero-days, the new Vulnerabilities Equity Process might be the accountability practice security advocates have been waiting for.

Where do you stand in the debate over whether governments should stockpile vulnerabilities? Some believe that regardless of its utility, the practice of keeping software vulnerabilities secret affects all users and they should be disclosed no matter the circumstances. On the other side of the argument are those who believe zero-days are a matter of national security and that if a vulnerability gives us an edge in warfare or intelligence gathering, it should be kept secret.

And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities. Ultimately, this group believes we need to take an approach that's less binary and more circumstantial, factoring in both the pros and cons of the practice and how they change based on the situation and conditions at hand.

Did you know the US government has a process in place to do exactly that? It's called the Vulnerabilities Equity Process (VEP), defined as "a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities, whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries." The VEP was developed in the late 2000s in response to a public outcry against the stockpiling of zero-day vulnerabilities. It was initially kept secret until the Electronic Frontier Foundation received redacted documentation through a Freedom of Information Act (FOIA) request in 2016. After the disclosure of the ShadowBrokers in mid-2017, the White House released an updated version of the VEP to the public in an attempt to improve transparency around the process. Let's explore how it works.

Today's VEP Process
The process is run with the authority of the White House and is led by both a representative from the National Security Agency (NSA), under the direction of the secretary of defense, as the executive secretariat, and the president's cybersecurity coordinator as the director. Other participants include representatives from 10 government agencies that comprise the Equities Review Board.

The process dictates an exchange between organizations that discover these vulnerabilities, the secretariat and the members of the Equities Review Board. During this exchange, vulnerabilities are disclosed to the group so each member can claim equity (for example, explaining "Here's how this vulnerability affects me"). This claim kicks off a round of discussion between the reporter and equity claimants to determine whether or not to recommend disclosing or restricting the vulnerability. The final decision to accept the recommendation or come up with alternatives is made by consensus of the Equities Review Board. Once a disclosure decision is made, the dissemination happens within seven days. Once you add up the time frames, the entire end-to-end process from discovery to dissemination can take anywhere from a week to one month, which is fast for a US government process.

The VEP also requires an annual report that includes statistical data on the process and its outcomes throughout the year. The report requires an unclassified executive summary at a minimum. The first reporting period closed on September 30, 2018, so we should expect an annual report soon.

Gaps and Exceptions
This process is by no means perfect. Between accommodations for the timetable, varying nondisclosure action options, and the complex back-and-forth between organizations, there is potential for our government to simply maintain the old status quo and fall short of the level of transparency for which the VEP was intended to deliver. A recent report outlined a solid list of issues associated with the process (you can read the original article here), which includes the following factors:

  1. NDAs and other agreements. The VEP is subject to legal restrictions against disclosing things such as nondisclosure agreements, memoranda of understanding, and other agreements between foreign or private sector partners. This opens up the possibility for both partners to hide behind these agreements in order to prevent disclosure.
  2. Lack of Risk Rating. The industry rates vulnerabilities by severity based on many factors. The VEP does not mandate any such rating. The absence of this kind of categorization or ranking process could result in false statistics at the end of the year. For example, the VEP could publicly state that it disclosed 100 vulnerabilities this year, but without context those could all be low-risk threats that have very little impact to the private sector.
  3. NSA Leadership. Considering the fact that the NSA is likely the greatest equity holder, as well as the most experienced in dealing with vulnerabilities, it comes as no surprise that a representative from the NSA was chosen as the secretariat. This position allows the largest equity holder the most power in this process.
  4. Alternative to Disclosure. While public disclosure is the default, other options include: disclosing mitigation information but not the vulnerability itself, limited use by our government, disclosing to US allies at a classified level, and indirect disclosure to the vendor. Many of these options keep the vulnerability a secret, negating the benefit that disclosure would bring.

Lack of Transparency
In addition to this list, there doesn't seem to be any private sector oversight built into the process. One of the issues I always find when arguing about zero-days is trust. The individual who believes vulnerabilities should always be disclosed for the betterment of security will rarely accept the response of an insider stating: "We can't because it's worth keeping secret." With the 10 agencies in the Equities Review Board including both the Department of Commerce and Department of Homeland Security, one could assume it is their responsibility to keep the private sector in mind. This does little to ease the mind of the security advocate, as these are positions appointed by the executive branch.

I believe the government should include a private sector review board of select industry representatives and cybersecurity experts who can hold a security clearance. These board members could review the outcomes of the VEP process on a monthly or quarterly basis. I believe that security advocates would be more willing to accept the response "We can't because it's worth keeping secret" if they hear it from a widely accepted industry expert as well as from the government.

Related Content:


Ricardo Arroyo, senior technical product manager and ThreatSync guru, is responsible for guiding the design and implementation of threat detection and response at WatchGuard Technologies.  Following a 15-year career at the NSA, where he worked as an analyst and cyber ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/26/2019 | 2:33:26 AM
Selective disclosure
What I reckon is happening is that the government is keeping all these secrets in storage for fear that if the data got out, that the hackers would be able to replicate what's been going on. They would have to be very careful what  information to release if they're going to disclose any of it at all!
User Rank: Apprentice
1/25/2019 | 2:27:16 AM
Staying neutral is best
I guess the I belong in the third group as well because every scenario would often come with its own pros and cons. It is not entirely up to us alone to weigh in on whether or not the vulnerabilities should indeed be kept in a secret storage or be let out in the open. Instead, we need to analyze on the given situation at that exact moment in time to see which solution suits best.
User Rank: Strategist
1/17/2019 | 9:19:02 AM
> "And then there's a third group, to which I belong. This crowd understands both the benefits and consequences that can occur when governments find and conceal vulnerabilities."
> implies only third group understand both
> proceeds to show that the third group clearly doesn't, as they support a government weaponizing zero-days at the expense of the citizens for its own personal gain

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...