Press Release

White House Releases VEP Charter, Increases Transparency of Cybersecurity Disclosures

November 16, 2017 , , , ,

Today the White House released the Vulnerabilities Equities Policy and Process (VEP) Charter. The Charter establishes a Vulnerabilities Equities Review Board to oversee the government’s disclosure of vulnerabilities that are not publicly known in information technology products and systems. Public Knowledge commends the government for increasing the transparency of its approach to disclosing hardware and software vulnerabilities.

The following can be attributed to Megan Stifel, Cybersecurity Policy Director at Public Knowledge:

“Public Knowledge welcomes today’s release of the Executive Branch Vulnerabilities Equities Process (VEP) Charter. As the Fact Sheet acknowledges, greater transparency about the way in which the United States government assesses whether to disclose a newly discovered not publicly known cybersecurity vulnerability can improve public confidence in the internet. The Executive Branch’s decision to publicly release this Charter, together with the public report it requires, affirm the United States’ commitment to a free, open, and interoperable global internet.

“Among other important elements, today’s release makes clear that privacy, security, economic, and international considerations inform the review process. The Charter reflects these considerations by establishing disclosure as the default policy approach, allowing for a decision to withhold only after a repeatable, rigorous review process. The Charter also sets forth an important corollary, namely that when the VEP decides not to disclose, such decision is temporary.

“In light of what is known about the Equifax breach, it is important to highlight that the government expects the company to which it disclosed a vulnerability to patch it. As we previously wrote, organizations that maintain sensitive personal information must have meaningful processes in place to protect it. We welcome legislation that requires these entities to have such processes and holds them accountable to their obligations.

“While today’s announcement is an important one, we continue to support legislation to codify the VEP and look forward to working with Congress to finalize that legislation.”