The Linux Foundation has called on the US government to update its Vulnerabilities Equities Process (VEP) — an interagency framework used to determine when the government should disclose and when it should hoard zero-day exploits for its own use, urging it pointedly May 14 to “work more cooperatively with commercial organizations, including OSS projects, to share more vulnerability information.”
The comments came in a Linux Foundation response to this week’s Executive Order (EO) from the Biden administration. The EO mandates federal action to “rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software”. It also compels NIST to “publish preliminary guidelines… for enhancing software supply chain security” within 180 days.
Detailing the Linux Foundation’s own extensive efforts to improve the security of the open source software supply chain, the report by David Wheeler, the foundation’s director for open source supply chain security, notes that “every vulnerability that the US fails to disclose is a vulnerability that can be found and exploited by attackers. We would welcome such discussions.” (Critics say such undisclosed vulnerabilities are unlikely to remain within the exclusive control of a government for any length of time.)
What is the Vulnerabilities Equities Process?
The VEP was developed during the Obama administration in 2014 and its charter published under the Trump administration in 2017. It details how and when the USG uses vulnerabilities for law enforcement and national security purposes without disclosing them to their manufacturers or developers. The practice is a delicate balancing act for the national security world and pressure has mounted from the software community — including from major vendors — on the government to rapidly disclose zero days.
Microsoft President Brad Smith was vocal on the need for change in 2017 in the wake of the WannaCry ransomware incident (which abused exploits stolen from the National Security Agency) noting that it “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”.
He said at the time: “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world… repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage… this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
The NSA has since regularly disclosed critical vulnerabilities to major software vendors, including Microsoft. (It disclosed the vulnerabilities in Microsoft Exchange this April that were widely abused by APTs and cybercriminals.) Needless to say, it is never possible to say how long it has sat on them before disclosing.
GCHQ, the UK’s NSA equivalent, published its own Equities Process in November 2018, noting that “we do not disclose every vulnerability we find. In some cases, we judge that the UK’s national security interests are better served by ‘retaining’ knowledge of a vulnerability.
“When we discover a previously unknown vulnerability, our starting position is to disclose it.
“We always perform a thorough review so we can understand whether there is an overwhelming national security benefit in retaining it,” GCHQ said, but added “knowledge of the vulnerability… can be used to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states.”