The longer a breach goes unreported, the more damage it can cause. In response to the massive amount of data breaches that took place in 2017, the White House recently issued a new policy regarding how the federal government will handle the process of reporting hacks and vulnerabilities in private companies.
TechRepublic’s Dan Patterson met with Core Security’s threat researcher Willis McDonald to discuss the White House Vulnerabilities Equities Process (VEP) and its implications.
The VEP lays out how the federal government will address the vulnerabilities they discover, how they will be released, by what standards they will access vulnerabilities, and how to get the vulnerabilities into the hands of the vendors they affect, McDonald explained. This process brings other shareholders to the table, and allows other government agencies to weigh in on some vulnerabilities.
SEE: IT leader’s guide to the threat of cyberwarfare (Tech Pro Research)
“I really don’t think this is an effective policy,” he said. “There are a lot of exclusions and loopholes to be able to hold onto vulnerabilities.” The purpose of this policy is to disclose vulnerabilities when they’re discovered by an agency, but the loopholes make it easy to disregard certain vulnerabilities.
The VEP does address timeframes when the vulnerabilities need to be reported. However, if a partner within an organization decides that information should not be released, there is no timeframe that requires the organization to come to a decision, he added.
If an organization has discovered a vulnerability, McDonald suggests to get with the vendor that it affects, and follow their disclosure procedures before disclosing it to the public. Also, organizations should access their own environment to see how the vulnerability will affect them if it goes unpatched.