Zero Day Disclosure Bill Heads to House Floor

The House will debate legislation Tuesday requiring the Homeland Security Department to report on how the government decides whether it will exploit newfound computer software vulnerabilities against U.S. adversaries or disclose them to manufacturers to be patched.

The Cyber Vulnerability Disclosure Act would put the force of legislation behind a Trump administration plan to publish an annual report on its “vulnerabilities equities process” for determining whether to hoard or disclose software bugs.

That process includes input from intelligence agencies that are more likely to favor hoarding vulnerabilities and from security-focused agencies that are more likely to favor disclosing them.

The bill, sponsored by Rep. Sheila Jackson Lee, D-Texas, was introduced before the Trump administration’s plan. The Obama administration released an outline of its vulnerabilities equities process but did not regularly update the document.

As a general rule, the government discloses about 90 percent of the software vulnerabilities it finds, officials from both administrations have said. The government privileges disclosure in cases where the vulnerabilities are most likely to be discovered by criminals and used against U.S. consumers, officials have said.

Jackson Lee’s office expects the bill to pass Tuesday evening, a spokesman said.

There’s not yet a Senate counterpart to the bill, but Jackson Lee’s office is working on finding one, the spokesman said.

The bill passed the Homeland Security Committee in September on a voice vote.