Profile image
By Electronic Frontier Foundation (Reporter)
Contributor profile | More stories
Story Views

Now:
Last Hour:
Last 24 Hours:
Total:

A Step in the Right Direction: House Passes the Cyber Vulnerability Disclosure Reporting Act

Friday, January 12, 2018 8:49
% of readers think this story is Fact. Add your two cents.

Headline: Bitcoin & Blockchain Searches Exceed Trump! Blockchain Stocks Are Next!

The House of Representatives passed the “Cyber Vulnerability Disclosure Reporting Act” this week. While the bill is quite limited in scope, EFF applauds its goals and supports its passage in the Senate.

H.R. 3202 is a short and simple bill, sponsored by Rep. Sheila Jackson Lee (D-TX), that would require the Department of Homeland Security to submit a report to Congress outlining how the government deals with disclosing vulnerabilities. Specifically, the mandated report would comprise two parts. First, a “description of the policies and procedures developed [by DHS] for coordinating cyber vulnerability disclosures,” or in other words, how the government reports flaws in computer hardware and software to the developers. And second, a possibly classified “annex” containing descriptions of specific instances where these policies were used to disclose vulnerabilities in the previous year, leading to mitigation of the vulnerabilities by private actors.

Perhaps the best thing about this short bill is that it is intended to provide some evidence for the government’s long-standing claims that it discloses a large number of vulnerabilities. To date, such evidence has been exceedingly sparse; for instance, Apple received its first ever vulnerability report from the U.S. government in 2016. Assuming the report and annex work as intended, the public’s confidence in the government’s ability to “play defense” may actually increase.

The bill has no direct interaction with the new Vulnerabilities Equities Process (VEP) charter, which was announced last November. As we said then, we think the new VEP is probably a step in the right direction, and this bill providers further support for transparency into the government’s handling of vulnerabilities.

As an aside, we question the need to classify the annex describing actual instances of disclosed vulnerabilities. Except maybe under exceptional circumstances, this should be public, especially coming after dubious statements by officials like that by White House Cybersecurity Coordinator Rob Joyce when he said last week that “the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.” Reassurances like that remain hard to take at face value in light of the NSA’s recent history of sabotaging American companies’ computer security.

We’ll be watching as the bill moves to the Senate.



Source: https://www.eff.org/deeplinks/2018/01/step-right-direction-house-passes-cyber-vulnerability-disclosure-reporting-act

Report abuse

Comments

Your Comments
Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

Top Stories
Recent Stories
 

Featured

 

Top Global

 

Top Alternative

 

Register

Newsletter

Email this story
Email this story

If you really want to ban this commenter, please write down the reason:

If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.