OTI welcomes today's House passage of the "Cyber Vulnerability Disclosure Reporting Act" (H.R. 3202), which would provide greater transparency for the Vulnerabilities Equities Process (VEP) that the government uses to assess when to disclose cyber vulnerabilities and when to exploit them. As OTI recently advocated, requiring unclassified reporting on the policies and procedures developed for coordinating cyber vulnerability disclosures is critical for the establishment of a transparent and functional VEP.
In November, the administration released a new VEP charter that outlines how the administration weighs the cybersecurity need to disclose vulnerabilities against the equities of law enforcement and intelligence agencies who seek to exploit these vulnerabilities. The bill passed by the House today would require that within eight months, the Department of Homeland Security provide an unclassified report to Congress describing the policies and procedures adopted under this process and outlining instances in which the government disclosed vulnerabilities to enable vendors to repair them.
The following statement can be attributed to Andi Wilson, policy analyst at New America’s Open Technology Institute:
Today’s House vote is a step forward toward enabling the public to assess how the administration is actually deciding when to disclose cyber vulnerabilities. Creating a requirement in law for unclassified reporting on the Vulnerabilities Equities Process is a key part of much-needed reform. The administration’s Charter for the VEP is policy, not law, and unless the government is legally required to report to Congress, then we have no way to trust that the VEP is functioning as we have been told it should. This bill provides welcome transparency and we urge Congress to enact further reforms of the process by which the government reviews and discloses dangerous cybersecurity vulnerabilities.