Secrets of the Code: How U.S. Intelligence Agencies Use Software Flaws
The annual Vulnerabilities Equities Process (VEP) report for the 2023 fiscal year (FY23) reveals intriguing details about how U.S. intelligence and federal agencies manage software vulnerabilities. Over the course of the year, 39 vulnerabilities were disclosed through this process, including:
- 29 new vulnerabilities identified during the reporting period
- 10 vulnerabilities from previous years that were disclosed after further review
Key Findings
- Status of Fixes Unknown: The report notes that there is no tracking of whether the disclosed vulnerabilities have been patched by software developers. This highlights a significant gap in transparency and makes it difficult to assess how vulnerability disclosures impact overall software security.
- Reviewed Vulnerabilities (10 cases): These flaws were likely retained for internal government use, which could include espionage or offensive operations. This aligns with the practice of keeping certain vulnerabilities secret for strategic advantage.
- Lack of Information on the Scope of the Process: The VEP report does not provide data on how many vulnerabilities were considered but not disclosed. This makes it impossible to determine how many vulnerabilities were initially reviewed for disclosure but ultimately kept for operational needs. Such information would help shed light on the balance between public safety and national interests.
The VEP remains an important but not fully transparent mechanism for deciding whether to disclose software vulnerabilities or retain them for national security purposes. However, the lack of data on patch implementation and the total number of vulnerabilities considered limits the publicβs understanding of the VEPβs effectiveness.