{"id":1324,"date":"2017-11-15T08:57:26","date_gmt":"2017-11-15T16:57:26","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1324"},"modified":"2017-11-15T14:51:09","modified_gmt":"2017-11-15T22:51:09","slug":"white-house-releases-new-vep-charter","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/","title":{"rendered":"White House releases new VEP charter"},"content":{"rendered":"<p>This morning, the White House released a new version of the Vulnerabilities Equities Process (VEP). We want to thank Rob Joyce, and the rest of the NSC staff working on the rewrite, for continuing to pay attention to this important issue. As we\u2019ve said before, we all have a <a href=\"https:\/\/blog.mozilla.org\/blog\/2016\/09\/13\/cybersecurity-is-a-shared-responsibility\/\">shared responsibility<\/a> to protect the entirety of the online ecosystem. The increased transparency around this process will help to foster that shared commitment to securing the internet.<\/p>\n<p>The VEP is how the U.S. government reviews and coordinates the disclosure of security vulnerabilities that it learns about. Proper handling of vulnerabilities clearly benefits both the government and the health of the internet, because the underlying tools, platforms and services are widely used in both the public and private sectors.<\/p>\n<p>Mozilla has been pushing for concrete and meaningful change in how the U.S. government handles security vulnerabilities. We have been working with a bipartisan, bicameral group of legislators in Congress on the <a href=\"https:\/\/blog.mozilla.org\/blog\/2017\/05\/17\/improving-internet-security-vulnerability-disclosure\/\">PATCH Act<\/a>, which we believe to be an incredibly positive step. We\u2019re happy to see the White House take similar action.<\/p>\n<p>We\u2019ve been working to reform and codify the VEP for over two years &#8211; so we\u2019re excited to see the White House make progress on this important issue. What we saw from the White House today includes welcome developments. We are evaluating this updated information against <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2016\/09\/19\/improving-government-disclosure-of-security-vulnerabilities\/\">five criteria<\/a> we released last year, all of which Joyce discussed:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><i>All vulnerabilities and exploits should go through the VEP.<\/i> Joyce mentioned a lot of agencies with interests in software and vulnerabilities &#8211; but that doesn\u2019t mean that they have to use the process. The White House &#8211; or Congress &#8211; should require that all vulnerabilities go through the process. Joyce, and the charter, seem to imply that all vulnerabilities need to go through the VEP &#8211; and that any exceptions need to be made clear to the cyber coordinator at the White House, who can veto that exception &#8211; which would be an excellent development. The exceptions process itself is classified, so we don\u2019t know what that entails.<\/li>\n<li><i>All relevant federal agencies should apply a standard set of criteria in their review, to ensure all relevant risks and interests are considered. <\/i>Joyce outlined the now-public list of agencies that are involved in the process. While there isn\u2019t a lot of change from what we believe the list of agencies was in the past, it\u2019s excellent to make that list public &#8211; and to clearly say that other agencies can participate when they have equities (assuming that they have folks with clearance). The list: the Department of Homeland Security (represented by the National Cybersecurity and Communications Integration Center), the Office of the Director of National Intelligence, the Department of Treasury (both the Secret Service and representing the banking industry), the Department of State (to represent diplomatic and non-US interests), Department of Justice (both Justice and the FBI), Department of Energy (for critical infrastructure), Office of Management and Budget, the Department of Defence (including CYBERCOM, the policy development office, the Cyber Crime Center, and the NSA &#8211; intending to include both offensive and defensive missions), the Central Intelligence Agency, and the Department of Commerce.<\/li>\n<li><i>There should be public timelines, both for reviewing vulnerabilities and re-reviewing decisions to delay disclosure.<\/i> Joyce talked about a six month window for retaining a vulnerability (the charter itself says a year), and a quicker reconsideration for a particularly sensitive vulnerability or one that there isn\u2019t broad agreement about retaining. This reconsideration is critical: just because something is useful today doesn\u2019t make it useful in six months &#8211; and indeed, the longer that it is kept, the more likely that someone else has discovered it too.<\/li>\n<li><i>Independent oversight and transparency into the procedures of the VEP should be created. <\/i>Joyce mentioned both classified reporting to Congress and an annual unclassified report for the public. This will significantly help us understand how the process works &#8211; including whether or not the government is stockpiling vulnerabilities. While Congress is not involved in the individual decisions that are made, they have a critical role in the oversight of the process itself.<\/li>\n<li><em>The VEP should use existing disclosure mechanisms, including those at DHS, and coordinate disclosure in line with industry best practices.<\/em> Joyce did not talk about how disclosure works, operationally. This is important: a good disclosure makes the difference. The charter requires the board to agree on guidelines about how to disclose &#8211; and we hope that they lean on the established expertise at DHS to put those together. No need to reinvent the wheel.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>We\u2019re pleased to see many of the goals of the PATCH Act covered in this process release. Our overarching goal in codifying the VEP in law to ensure compliance and permanence cannot be met by unilateral executive action, but each of these process clarifications makes a difference. We look forward to continuing to work with Congress and the White House on these reforms.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This morning, the White House released a new version of the Vulnerabilities Equities Process (VEP). We want to thank Rob Joyce, and the rest of the NSC staff working on &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/\">Read more<\/a><\/p>\n","protected":false},"author":1273,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[283198,10137,69,141519,10136,46877],"tags":[],"coauthors":[311577],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>White House releases new VEP charter - Open Policy &amp; Advocacy<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Heather West\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/\",\"name\":\"White House releases new VEP charter - Open Policy &amp; Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2017-11-15T16:57:26+00:00\",\"dateModified\":\"2017-11-15T22:51:09+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/fdff0d5bb50c4a81e2743d7f91775d40\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"White House releases new VEP charter\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy &amp; Advocacy\",\"description\":\"Mozilla&#039;s official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/fdff0d5bb50c4a81e2743d7f91775d40\",\"name\":\"Heather West\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/473697387e4dd4394de2baac8badd43c\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1cc029c6538a1898f71b01b401691323?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1cc029c6538a1898f71b01b401691323?s=96&d=mm&r=g\",\"caption\":\"Heather West\"},\"description\":\"Heather works on security, cybersecurity, data governance, and privacy in the digital age at Mozilla, maker of the Firefox browser. At the intersection of public policy and technology, she is part policy-to-tech translator, part product consultant, and part long-term Internet strategist. She works with stakeholders and policymakers in DC as well as global product and policy teams and was recognized as one of the 2014 Forbes 30 Under 30 in Law and Policy. She helped found the public policy team at CloudFlare, a website performance and security company, served as global and Federal privacy and security issue expert on Google\u2019s public policy team, and started her career working on government technology, privacy, and identity management at the public interest group Center for Democracy and Technology. She holds a B.A. in Computer Science and Cognitive Science from Wellesley College with concentrations in philosophy and legal studies, and is a Certified Information Privacy Professional (CIPP\/US). She is also recognized as a Christian Science Monitor Passcode Influencer.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"White House releases new VEP charter - Open Policy &amp; Advocacy","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/","twitter_misc":{"Written by":"Heather West","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/","name":"White House releases new VEP charter - Open Policy &amp; Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2017-11-15T16:57:26+00:00","dateModified":"2017-11-15T22:51:09+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/fdff0d5bb50c4a81e2743d7f91775d40"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2017\/11\/15\/white-house-releases-new-vep-charter\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"White House releases new VEP charter"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy &amp; Advocacy","description":"Mozilla&#039;s official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/fdff0d5bb50c4a81e2743d7f91775d40","name":"Heather West","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/473697387e4dd4394de2baac8badd43c","url":"https:\/\/secure.gravatar.com\/avatar\/1cc029c6538a1898f71b01b401691323?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1cc029c6538a1898f71b01b401691323?s=96&d=mm&r=g","caption":"Heather West"},"description":"Heather works on security, cybersecurity, data governance, and privacy in the digital age at Mozilla, maker of the Firefox browser. At the intersection of public policy and technology, she is part policy-to-tech translator, part product consultant, and part long-term Internet strategist. She works with stakeholders and policymakers in DC as well as global product and policy teams and was recognized as one of the 2014 Forbes 30 Under 30 in Law and Policy. She helped found the public policy team at CloudFlare, a website performance and security company, served as global and Federal privacy and security issue expert on Google\u2019s public policy team, and started her career working on government technology, privacy, and identity management at the public interest group Center for Democracy and Technology. She holds a B.A. in Computer Science and Cognitive Science from Wellesley College with concentrations in philosophy and legal studies, and is a Certified Information Privacy Professional (CIPP\/US). She is also recognized as a Christian Science Monitor Passcode Influencer."}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1324"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1273"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=1324"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1324\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=1324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=1324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=1324"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=1324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}