{"id":10520,"date":"2017-05-17T08:29:40","date_gmt":"2017-05-17T15:29:40","guid":{"rendered":"https:\/\/blog.mozilla.org\/?p=10520"},"modified":"2017-05-26T09:50:14","modified_gmt":"2017-05-26T16:50:14","slug":"improving-internet-security-vulnerability-disclosure","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/","title":{"rendered":"Improving Internet Security through Vulnerability Disclosure"},"content":{"rendered":"<h2><i>Supporting the PATCH Act for VEP Reform<\/i><\/h2>\n<p>&nbsp;<\/p>\n<p>Today, Mozilla <a href=\"https:\/\/blog.mozilla.org\/wp-content\/uploads\/2017\/05\/Mozilla-PATCHActSupport.pdf\">sent a letter to Congress<\/a> in support of the Protecting Our Ability to Counter Hacking Act <a href=\"https:\/\/www.schatz.senate.gov\/press-releases\/bipartisan-bicameral-lawmakers-introduce-bill-to-enhance-cybersecurity-promote-transparency\">(PATCH Act) that was just introduced<\/a> by Sen. Cory Gardner, Sen. Ron Johnson, Sen. Brian Schatz, Rep. Blake Farenthold, and Rep. Ted Lieu.<\/p>\n<p>We support the PATCH Act because it aims to codify and make the existing Vulnerabilities Equities Process more transparent. The Vulnerabilities Equities Process (VEP) is the U.S. government\u2019s process for reviewing and coordinating the disclosure of new vulnerabilities it learns about.<\/p>\n<p>The VEP remains shrouded in secrecy, and is in need of process reforms to ensure transparency, accountability, and oversight. Last year, I wrote about <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2016\/09\/19\/improving-government-disclosure-of-security-vulnerabilities\/\">five important reforms to the VEP<\/a> we believe are necessary to make the internet more secure. The PATCH Act includes many of the key reforms, including codification in law to increase transparency and accountability.<\/p>\n<p>For background, a vulnerability is a flaw &#8211; in design or implementation &#8211; that can be used to exploit or penetrate a product or system. We <a href=\"https:\/\/blog.mozilla.org\/blog\/2017\/05\/15\/wannacry-cry-vep-reform\/\">saw an example this weekend<\/a> as a ransomware attack took unpatched systems by surprise &#8211; and you\u2019d be surprised at how common they are if we don\u2019t all work together to fix them. These vulnerabilities can put users and businesses at significant risk from bad actors. At the same time, exploiting these same vulnerabilities can also be useful for law enforcement and intelligence operations. It\u2019s important to consider those equities when the government decides what to do.<\/p>\n<p>If the government has exploits that have been compromised, they must disclose them to tech companies before those vulnerabilities can be used widely and put users at risk. The lack of transparency around the government\u2019s decision-making processes here means that we should improve and codify the Vulnerabilities Equities Process in law. Read <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/05\/17\/working-together-towards-secure-internet-vep-reform\/\">this Mozilla Policy blog post<\/a> from Heather West for more details.<\/p>\n<p>The internet is a shared resource and securing it is our<a href=\"https:\/\/blog.mozilla.org\/blog\/2016\/09\/13\/cybersecurity-is-a-shared-responsibility\/\"> shared responsibility<\/a>. This means technology companies, governments, and even users have to work together to protect and improve the security of the internet.<\/p>\n<p>We look forward to working with the U.S. government (and governments around the world) to improve disclosure of security vulnerabilities and better secure the internet to protect us all.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Supporting the PATCH Act for VEP Reform &nbsp; Today, Mozilla sent a letter to Congress in support of the Protecting Our Ability to Counter Hacking Act (PATCH Act) that was &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\">Read more<\/a><\/p>\n","protected":false},"author":563,"featured_media":9612,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[88,66,757,847,69],"tags":[],"coauthors":[307127],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Improving Internet Security through Vulnerability Disclosure - The Mozilla Blog (Archived)<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Denelle Dixon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\",\"name\":\"Improving Internet Security through Vulnerability Disclosure - The Mozilla Blog (Archived)\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/blogarchive\/files\/2016\/09\/Cybersecurity.png\",\"datePublished\":\"2017-05-17T15:29:40+00:00\",\"dateModified\":\"2017-05-26T16:50:14+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/files\/2016\/09\/Cybersecurity.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/blogarchive\/files\/2016\/09\/Cybersecurity.png\",\"width\":450,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/blogarchive\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Improving Internet Security through Vulnerability Disclosure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/\",\"name\":\"The Mozilla Blog (Archived)\",\"description\":\"Dispatches from the Internet frontier.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/blogarchive\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec\",\"name\":\"Denelle Dixon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/image\/1720f6d7063c89117905d2c75f3b155a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g\",\"caption\":\"Denelle Dixon\"},\"description\":\"Denelle Dixon-Thayer is Chief Legal and Business Officer at Mozilla Corporation\",\"url\":\"https:\/\/blog.mozilla.org\/blogarchive\/blog\/author\/ddixonmozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Improving Internet Security through Vulnerability Disclosure - The Mozilla Blog (Archived)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/","twitter_misc":{"Written by":"Denelle Dixon","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/","url":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/","name":"Improving Internet Security through Vulnerability Disclosure - The Mozilla Blog (Archived)","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/blogarchive\/files\/2016\/09\/Cybersecurity.png","datePublished":"2017-05-17T15:29:40+00:00","dateModified":"2017-05-26T16:50:14+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#primaryimage","url":"https:\/\/blog.mozilla.org\/blogarchive\/files\/2016\/09\/Cybersecurity.png","contentUrl":"https:\/\/blog.mozilla.org\/blogarchive\/files\/2016\/09\/Cybersecurity.png","width":450,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/blogarchive\/"},{"@type":"ListItem","position":2,"name":"Improving Internet Security through Vulnerability Disclosure"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/blogarchive\/#website","url":"https:\/\/blog.mozilla.org\/blogarchive\/","name":"The Mozilla Blog (Archived)","description":"Dispatches from the Internet frontier.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/blogarchive\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/a4c77c94853bf9dbb79a9a206322d6ec","name":"Denelle Dixon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/blogarchive\/#\/schema\/person\/image\/1720f6d7063c89117905d2c75f3b155a","url":"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4e1edda1af518a1659f0bae91f9fab03?s=96&d=mm&r=g","caption":"Denelle Dixon"},"description":"Denelle Dixon-Thayer is Chief Legal and Business Officer at Mozilla Corporation","url":"https:\/\/blog.mozilla.org\/blogarchive\/blog\/author\/ddixonmozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/posts\/10520"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/users\/563"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/comments?post=10520"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/posts\/10520\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/media\/9612"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/media?parent=10520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/categories?post=10520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/tags?post=10520"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/blogarchive\/wp-json\/wp\/v2\/coauthors?post=10520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}