Redacted: This is how the government ‘informs’ you about critical software flaws

© Kacper Pempel
The US government has released a document describing the process it undertakes when deciding whether or not to inform the public about critical vulnerabilities it discovers in software. However, important details remain redacted.

Essentially, the document shows that an interagency review board, facilitated by an office within the National Security Agency (NSA) called the ‘Executive Secretariat’, decides whether the public will learn about software flaws that could be exploited. The entire practice is known as the ‘Vulnerabilities Equities Process’, or VEP.

Information about the process itself, however, was redacted. The government also redacted all information regarding a decision to not disclose security vulnerabilities.

Despite initially stating that the entire document was classified, the government released it Thursday to the Electronic Frontier Foundation, the digital rights advocacy group which had filed a lawsuit against seeking more information about the VEP.

Concern over the VEP stems from the government’s acknowledgment that it uses “zero-day” exploits against foreign targets and criminal suspects. These zero-day exploits are vulnerabilities in computer software that are not known to the software developer. Since they are not known, malicious code can be designed to exploit the vulnerabilities and attack the computers targeted by governments and hackers, both US and foreign alike.

In April 2014, the US stated that “unless there is a clear national security or law enforcement need” for a zero-day exploit, “it is in the national interest to responsibly disclose the vulnerability.” The VEP was then cited as the government’s way of deciding when to disclose such exploits, and it was described as “biased toward” disclosure.

The newly released document states that in order for an exploit to be submitted to into the VEP, it must meet the threshold of being “both newly discovered and not previously known.” Previously, the government declined to disclose this threshold.

Under the VEP, the National Security Agency/Information Assurance Directorate serves as the Executive Secretariat for the process, which entails facilitating discussions, decisions and record-keeping regarding the exploits. The document states that the role must be performed “so as to remain neutral and independent of the organization's equities in any particular case.”

Agencies that can participate in the process include but may not be limited to the Departments of State, Justice, Homeland Security, Treasury, Commerce, and Energy, and the Office of the Director of National Intelligence, so long as they have a “self-identified” interest in the vulnerability being discussed.

Under the section set to describe the “Vulnerability Equities Process,” all of the text is redacted.

Under the section titled “Process Overview,” the government describes the steps it takes when a vulnerability is identified. However, these steps are redacted as well.

The government also redacted the section that describes the steps taken to implement a decision that finds no disclosure of the software exploit will be made.

The actual decision on whether to disseminate information about an exploit is made by an interagency Equities Review Board. Subject matter experts (SME) discuss the issue and make recommendations to the ERB, which then comes up with a decision. If it cannot form a decision together, a vote is taken and the decision is made by majority rule.

READ MORE: NSA sued for hoarding details on use of ‘zero day' exploits

Still unclear is how many vulnerabilities the government has disclosed and how often it does so. The EFF said it is still “digesting” the document and has not decided whether or not it will seek to uncover any of the remaining redactions.

The government’s use of zero-day exploits first came into question when reports began stating that the NSA knew about the damaging ‘Heartbleed’ bug well in advance but decided to keep its existence secret in order to exploit it. 

In response, the Office of the Director of National Intelligence denied that this was the case and made the first mention of the VEP.

In an interview with Wired, Special Assistant to the President and Cybersecurity Coordinator Michael Daniel said that while the VEP was in place, it had to be “reinvigorated” because it “had not been implemented to the full degree that it should have been.”