Feds may have to explain knowledge of security holes – if draft law comes into play

House reps approve bill requiring vuln disclosure reports


The US House of Representatives this week approved a bill that, given further legislative and executive branch support, will require the American government to account for its handling of software and hardware vulnerabilities.

The "Cyber Vulnerability Disclosure Reporting Act," sponsored by Rep Sheila Jackson Lee (D-TX), requires the Department of Homeland Security to issue "a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures."

The US government has not provided much detail about how it handles vulnerabilities that it becomes aware of, and advocacy organizations like the Electronic Frontier Foundation argue that more transparency is needed to debate the consequences of vulnerability research and disclosure.

"Perhaps the best thing about this short bill is that it is intended to provide some evidence for the government’s long-standing claims that it discloses a large number of vulnerabilities," said EFF attorneys Nate Cardozo and Andrew Crocker in a blog post on Friday.

The US National Security Agency has said it discloses most of the vulnerabilities it finds, more or less.

"Historically, the NSA has released more than 91 per cent of vulnerabilities discovered in products that have gone through our internal review process and are made or used in the United States," the agency said on its website in 2015, or so the Internet Archive's Wayback Machine would have us believe.

The remainder, the NSA said, are either fixed by vendors before disclosure or are retained for national security reasons.

But Cardozo and Crocker insist evidence of such disclosures has been scarce, noting that Apple received its first vulnerability disclosure from the government in 2016.

When vulnerabilities are not disclosed in a timely manner, one of the risks is that they will be revealed by hackers, as the Shadow Brokers did with the NSA's stockpile of flaws and related hacking tools. Another is that they will be independently discovered by those with malicious intent and used prior to public disclosure.

The Trump Administration's approach to the issue involves a revision of the Vulnerabilities Equities Process (VEP), a classified policy put in place in 2010 and revealed several years later that attempts to balance the tension between cyber offense and defense requirements.

The 2017 revision offers an updated take on how government agencies should decide what gets revealed and what stays secret.

The Cyber Vulnerability Disclosure Reporting Act doesn't really overlap with VEP, but if it survives the remaining legislative hurdles, it will ensure basic information about vulnerability handling gets circulated to lawmakers. ®

Similar topics


Other stories you might like

  • Microsoft unveils Android apps for Windows 11 (for US users only)

    Windows Insiders get their hands on the Windows Subsystem for Android

    Microsoft has further teased the arrival of the Windows Subsystem for Android by detailing how the platform will work via a newly published document for Windows Insiders.

    The document, spotted by inveterate Microsoft prodder "WalkingCat" makes for interesting reading for developers keen to make their applications work in the Windows Subsystem for Android (WSA).

    WSA itself comprises the Android OS based on the Android Open Source Project 1.1 and, like the Windows Subsystem for Linux, runs in a virtual machine.

    Continue reading
  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading

Biting the hand that feeds IT © 1998–2021