Finding a healthy balance between a nation’s national security needs and the government’s responsibility to keep the public secure in cyberspace, is a complicated task. One aspect of the problem is vulnerability disclosure. In other words, what should a government do if one of its security agencies learns about a vulnerability (e.g. a technical flaw) in a software or hardware product?
Essentially governments are faced with two options: either disclose the vulnerability to the affected vendor, so the security hole can be patched, or retain the knowledge of the vulnerability so it can be exploited for national security purposes.
In the US, the public discourse on the government’s responsibility to disclose vulnerabilities has been taking place for a little bit less than decade. Meanwhile in Europe this conversation is much less advanced.
The debate in the US
Thanks to the relentless efforts of the Electronic Frontier Foundation (EFF) we know that the US effort started in 2008 when President Bush ordered the development of a joint plan for dealing with offensive and defensive cyber capabilities, noting that the discovery of vulnerabilities “may present competing equities for [government] offensive and defensive mission interests”. Following the plan’s recommendations, a working group led by ODNI Mike McConnell developed a framework in 2008/09 outlining what is now called the Vulnerabilities Equities Process (VEP).
Although the VEP was implemented back in 2010, it took more than four to six years respectively for the framework to become public. Faced with mounting pressure due to the Snowden affair the Obama administration embarked internally on a ‘reinvigorated’ VEP process in 2013/14. According to declassified documents, the process set out to refine key criteria used to determine whether or not to disclose a vulnerability and pledged to focus on interagency communication to ensure that the process is followed “consistently and thoroughly.” To this end, if an agency insists on retaining a particular security flaw, it would have to argue the case before the Equities Review Board (ERB) which consists of representatives from a number of government agencies.
A problem of Terminology
One of the reasons it is difficult to talk about this subject in Europe is the similarity of terminology used to describe different aspects of vulnerability reporting and handling.
The table below lists the various terms used to describe similar yet inherently different vulnerability disclosure processes.
Vulnerability Disclosure Processes
Coordinated Vulnerability Disclosure (CVD)
A process whereby the security researcher who discovered the vulnerability coordinates with the affected vendor(s) to allow them to patch the security hole. Following the successful creation of a patch, the vulnerability information and the patch are released to the public.
Responsible Vulnerability Disclosure
A process whereby the security researcher who discovered the vulnerability reports said vulnerability in confidentiality to the vendor. If the vendor is not responsive within a designated timeframe (Google Zero has established a widely recognized 90-day timeframe),the security researcher may release the knowledge of the vulnerability to the public.
This means that unlike CVD, the vendor may have a very limited timeframe to respond to the vulnerability, leading to a situation in which the knowledge of a vulnerability is released to the public without a patch being available.
Full Vulnerability Disclosure
As soon as the vulnerability is found, all details are published in the public domain. This approach is supposed to motivate vendors to mitigate flaws as fast as possible. However, during this time, there is a very high risk of the vulnerability being exploited with no patch available for a long period of time.
A process whereby the person who discovered the vulnerability keeps it in secret. Motivations for non-disclosure can vary from malicious intent to laziness.
Vulnerability Equities Process (VEP)
In contrast to the various disclosure options above, the Vulnerabilities Equities Process helps the US government to determine whether to withhold or to disclose their knowledge of an existing vulnerability. Some researchers have put forward the umbrella term Government Vulnerability Disclosure (GVD).
The debate in Europe
At present, the Netherlands is widely seen as the ‘leader’ in Europe when it comes to vulnerability disclosure policies. But even the Dutch have a long way to go. For example, during the Dutch presidency of the EU Council, a number of organizations kicked-off ‘The Coordinated Vulnerability Disclosure Manifesto’ in May 2016 - a one-page document obliging signatories to “combine efforts to follow international standards and best practices for remediating and disclosing vulnerabilities and implementing these in their organization.” In praising the Dutch for making significant progress on vulnerability disclosure, commentators failed to note that the manifesto only targets private companies and their internal assessments for disclosure.
Equally, the responsible disclosure policy put in place by the Dutch National Cyber Security Center, is squarely aimed at researchers reporting vulnerabilities to the government, which in turn provides researcher with legal protections if they comply with the reporting conditions outlined. These policies are very similar to the responsible/coordinated disclosure policies used by CERTs and private sector companies worldwide.
Overall, the Netherlands might be a leader on responsible disclosure, but it is certainly not a leader on government vulnerability disclosure. In fact, European governments, including the Netherlands, have done little to nothing to enact policies similar to the VEP.
Little is publicly known about how European governments handle the knowledge of vulnerabilities in their possession, although the UK has provided some insight. Former GCHQ director Robert Hannigan noted back in November 2017 that the UK’s signal intelligence agency releases “over 90% of the vulnerabilities” it knows about. Hannigan also pointed out that in the UK, the process “is run internally within GCHQ and informed by the National Cyber Security Centre [NCSC], which is part of GCHQ. In that sense, the process is similar [to the VEP], it doesn’t have the same involvement of the executive and other parts of government […]. The principles of making the judgments are pretty much the same, and we work pretty closely with the NSA too, so we are not doing this in complete isolation.”
In contrast, back in June 2017, the Center for European Policy Studies (CEPS) launched a Task Force that brought together stakeholders to discuss the implications of software vulnerability disclosure across the EU. Several meetings took place and the final report is forthcoming in April. The Taskforce’s expectations are high that the report will increase the pressure on EU member states to embark on a vulnerability equity process. Even Rob Joyce, cybersecurity coordinator at the White House, praised the initiative on Twitter, highlighting that “US leadership on balanced Vulnerability Equity Processes is paying dividends internationally with others taking up the debate.”
However, from both the meeting agendas and the recommendations of the CEPS Task Force report, it appears that the discussions were predominantly focusing on coordinated and responsible vulnerability disclosure rather than driving the VEP debate in Europe. At the time of this writing, the CEPS recommendations only include a list of broad “GVD [government vulnerability disclosure] characteristics” and a plea for either “the European Commission or ENISA to conduct a study of member states’ efforts to implement a GVD process.”
The key take-away is this: All EU member states still lack an effective vulnerabilities equities process and yet there is little to no discourse on it. We can certainly ignore the failure of European governments to address the way they deal internally with vulnerability disclosure, but that will risk an eventual collision between national security needs and keeping European citizens safe. Last year’s WannaCry and NotPetya campaigns have clearly shown what can happen when a government withholds knowledge of severe vulnerabilities and accidentally loses its exploit kits. It should not take a serious leak of classified information in Europe to put the VEP debate on the continent’s agenda. Tackling the problem now will avoid considerable headaches for European governments and intelligence agencies in the future.
Teodora Delcheva is the Cybersecurity & Defence Research Assistant at the European Council on Foreign Relations (ECFR)
Stefan Soesanto is the Cybersecurity & Defence Fellow at the European Council on Foreign Relations (ECFR)
 https://www.belfercenter.org/sites/default/files/legacy/files/Vulnerability%20Disclosure%20Web-Final4.pdf, p. 4
 https://www.ceps.eu/system/files/SVD-%20Flyer%20event%2027%2002%20Parliament-%2024%2002_Final.pdf, p.1
 See Microsoft: https://technet.microsoft.com/en-us/security/dn467923.aspx; The Atlantic: https://www.theatlantic.com/responsible-disclosure-policy/; or EU-CERT: https://cert.europa.eu/cert/newsletter/en/latest_HallOfFame_.html#CERTpolicy
 The full report was not available by the time of this writing. https://www.ceps.eu/sites/default/files/Vulnerability%20Disclosure%20Workshop_%20Agenda%20%20Final%20.pdf
 https://www.ceps.eu/system/files/SVD-%20Flyer%20event%2027%2002%20Parliament-%2024%2002_Final.pdf, p.2