House passes vulnerability disclosure oversight bill

The House of Representatives passed a bill requiring the Department of Homeland Security to inform Congress about how it makes vulnerability disclosure decisions.

The bill, introduced by Rep. Sheila Jackson Lee (D-Texas), seeks to provide Congress with more clarity surrounding the policies and processes used in the vulnerabilities equities process, the executive decision-making that determines whether to disclose a bug to software companies so it can be remediated or to retain it for use in secret espionage.

The bill passed the House by voice vote Jan. 9.

Specifically, the bill would mandate DHS submit a report on cyber vulnerability disclosures to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committee.

The report would include -- "to the extent possible" -- which policies and procedures were used to disclose cyber vulnerabilities, as well as the ways in which industry and other beneficiaries acted upon the information provided. The report could also detail how DHS is working across government to protect critical infrastructure and to prevent, detect and mitigate cyber vulnerabilities.

Since the bill's introduction in July 2017, the White House publicly released its bug disclosure policy, revealing some of the considerations taken into account and which agencies are involved in the decision to inform industry about cyber bugs.

White House Cybersecurity Coordinator Rob Joyce has said that government, the world's largest purchaser of malware and software vulnerabilities, ends up disclosing about 90 percent of known vulnerabilities.

Representatives from the Departments of Justice, State, Homeland Security, Energy, Defense, Commerce and Treasury, along with the Office of Management and Budget, CIA, NSA and FBI, are involved in this decision-making. The process is overseen by the White House.

The process of deciding whether to share known vulnerabilities has been of bipartisan interest to Congress for some time. In May, members of the House and Senate from both sides of the aisle introduced a bill that would codify the vulnerabilities equities process board and criteria for releasing vulnerability information.