Mohana Ravindranath | Nextgov | May 17, 2017 | 0 Comments

Bill Aims to Clarify When and How the Government Discloses Software Vulnerabilities


On the heels of a major ransomware attack that first plagued the national health service in Britain and then spread globally, U.S. lawmakers want to codify the process by which the government shares newly discovered vulnerabilities with software vendors and the public.

A bipartisan group of senators introduced a bill that directs federal leaders to come up with a more transparent process for determining when those vulnerabilities should be disclosed. The process would consider how damaging the vulnerabilities would be if exploited by criminals and foreign intelligence, and the potential consequences for vendors and consumers who could be targeted.

The Protecting our Ability To Counter Hacking, or PATCH, Act, is an effort to balance “national security and general cybersecurity,” Sen. Brian Schatz, D-Hawaii, part of a group that introduced the bill, said in a statement.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The legislation would establish a Vulnerability Equities Review Board responsible for outlining policies on “whether, when, how, to whom and to what degree information about a vulnerability that is not publicly known should be shared or released by the federal government to a non-federal entity,” the text said.

The recent ransomware incident, known as the WannaCry attack and which reportedly made use of a vulnerability held by the National Security Agency, highlights a need to “combine public and private efforts” and point out software bugs to vendors as soon as possible, Sen. Ron Johnson, R-Wis., who also introduced the bill, said in a statement.

The law appears to continue the Obama administration’s approach to making disclosure decisions, which also considered the tradeoffs between “prompt disclosure” and “withholding knowledge of some vulnerabilities for a limited time can have significant consequences,” then-cybersecurity coordinator Michael Daniel wrote in a 2014 White House blog post. That post was written shortly after NSA tweeted in 2014 it was unaware of the Heartbleed vulnerability,

“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” Daniel wrote. The decision to disclose, he wrote, involved weighing the following questions:

According to former White House officials, the previous administration would often opt for disclosure in cases in which criminals or foreign actors could use that vulnerability or if its exploitation would be dangerous for consumers. They also said they stored less than 10 percent of zero-day exploits they found.

Under the PATCH Act, the review board would consider many of the questions Daniel mentioned. The legislation also directs the board—whose permanent members would include designees of the Homeland Security Department, the FBI, the CIA, the Office of the Director of National Intelligence, the Commerce Department and NSA—to submit its policies to the president and to Congress. Personnel from the State, Treasury and Energy departments and the Federal Trade Commission would be involved on an ad hoc basis.

After the WannaCry incident was reported, Homeland Security Adviser Tom Bossert noted the U.S. is “extremely careful with their processes of how they handle any vulnerabilities they’re aware of."

He also emphasized that the malware was “not a tool developed by the NSA to hold ransom data," though he neither confirmed nor denied that the NSA had exploited that vulnerability. 


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.