The House of Representatives passed the “Cyber Vulnerability Disclosure Reporting Act” this week. While the bill is quite limited in scope, EFF applauds its goals and supports its passage in the Senate.
H.R. 3202 is a short and simple bill, sponsored by Rep. Sheila Jackson Lee (D-TX), that would require the Department of Homeland Security to submit a report to Congress outlining how the government deals with disclosing vulnerabilities. Specifically, the mandated report would comprise two parts. First, a “description of the policies and procedures developed [by DHS] for coordinating cyber vulnerability disclosures,” or in other words, how the government reports flaws in computer hardware and software to the developers. And second, a possibly classified “annex” containing descriptions of specific instances where these policies were used to disclose vulnerabilities in the previous year, leading to mitigation of the vulnerabilities by private actors.
Perhaps the best thing about this short bill is that it is intended to provide some evidence for the government’s long-standing claims that it discloses a large number of vulnerabilities. To date, such evidence has been exceedingly sparse; for instance, Apple received its first ever vulnerability report from the U.S. government in 2016. Assuming the report and annex work as intended, the public’s confidence in the government’s ability to “play defense” may actually increase.
The bill has no direct interaction with the new Vulnerabilities Equities Process (VEP) charter, which was announced last November. As we said then, we think the new VEP is probably a step in the right direction, and this bill providers further support for transparency into the government's handling of vulnerabilities.
As an aside, we question the need to classify the annex describing actual instances of disclosed vulnerabilities. Except maybe under exceptional circumstances, this should be public, especially coming after dubious statements by officials like that by White House Cybersecurity Coordinator Rob Joyce when he said last week that “the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.” Reassurances like that remain hard to take at face value in light of the NSA’s recent history of sabotaging American companies’ computer security.
We’ll be watching as the bill moves to the Senate.