{"id":1175,"date":"2017-05-17T07:31:56","date_gmt":"2017-05-17T15:31:56","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1175"},"modified":"2017-05-17T07:31:56","modified_gmt":"2017-05-17T15:31:56","slug":"working-together-towards-secure-internet-vep-reform","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/05\/17\/working-together-towards-secure-internet-vep-reform\/","title":{"rendered":"Working Together Towards a more Secure Internet through VEP Reform"},"content":{"rendered":"

Today, Mozilla sent a letter to Congress<\/a> expressing support for an important bill has just been introduced: the Protecting Our Ability to Counter Hacking Act (PATCH Act). You can read more in this post from Denelle Dixon<\/a>.<\/p>\n

This bill focuses on a relatively unknown, but critical, piece of the U.S. government’s responsibility to secure our internet infrastructure: the Vulnerabilities Equities Process (VEP). The VEP is the government\u2019s process for reviewing and coordinating the disclosure of vulnerabilities to folks who write code – like us – who can fix them in the software and hardware we all use (you can learn more about what we know here<\/a>). However, the VEP is not codified in law, and lacks transparency and reporting on both the process policymakers follow and the considerations they take into account. The PATCH Act would address these gaps.<\/p>\n

The cyberattack over the last week – using the WannaCry exploit from the latest Shadow Brokers release, and exploiting unpatched Windows computers – only emphasizes the need to work together and make sure that we\u2019re all as secure as we can be. As we said earlier this week<\/a>, these exploits might have been shared with Microsoft by the NSA – and that would be the right way to handle an exploit like this. If the government has exploits that have been compromised, they must disclose them to software companies before they can be used widely putting users at risk. The lack of transparency around the government\u2019s decision-making processes points to the importance of codifying and improving the Vulnerabilities Equities Process.<\/p>\n

We\u2019ve said before<\/a> – many times – how important it is to work together to protect cybersecurity. Reforming the VEP is one key component<\/a> of that shared responsibility, ensuring that the U.S. government shares vulnerabilities that put swaths of the internet at risk. The process was conceived in 2010 to improve our collective cybersecurity, and implemented in 2014 after the Heartbleed vulnerability put most of the internet at risk (for more information, take a look at this timeline<\/a>). It\u2019s time to take the next step and put this process into statute.<\/p>\n

Last year, we wrote about five important reforms to the VEP we believe are necessary:<\/p>\n