Update November 8th, 2017. I presented the paper at the GameSec conference in Vienna. The slides from my talk are available here.
Update August 20th, 2017. The paper was accepted to the GameSec conference.
Update July 18th, 2017. I’ve updated the paper to include a new section looking at the EternalBlue exploit and the WannaCry malware.
I spent all day finishing up a paper about the U.S. Vulnerabilities Equities Process — the process by which the government decides to retain or disclose zero day vulnerabilities — and deliberately not spending time reading twitter or the news. Then, of course, it turns out that there is a huge story about CIA hacking and their use of zero day exploits.
Since it might be of interest, I’m putting the paper up as a working paper here:
Here is the abstract:
The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about how organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. These details are needed in order to have an informed debate about the policy and if its effectiveness is to be assessed. In this paper, we discuss the VEP and look at how the criteria influence the timing of disclosure. We then present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved.
Although I’ve only had a little time to glance at the Wikileaks release, I have a feeling that the need for information and debate about the VEP and how the government makes vulnerability disclosure decisions is going to be stronger than ever.