Tag Archives: process

PGi releases GlobalMeet 5.0, as demand for web conferencing grows

PGi has overhauled the architecture and interface of GlobalMeet, making the process of joining and hosting virtual meetings easier on the cloud-based web conferencing platform. The latest version, GlobalMeet 5.0, will eventually replace PGi’s other online meeting tools, iMeet and ReadyTalk Meeting.

Within GlobalMeet 5.0, launched this week, PGi ditched Flash and Session Initiation Protocol in favor of HTML5 and WebRTC. The two technologies let users make phone calls; broadcast over webcams; and share files and screens using Google Chrome or Internet Explorer, Apple iOS and Android apps, or an optional desktop program. 

“Whether it’s a desktop, just a straight browser or a mobile device, it’s one click into the meeting to join it, or to start it if you’re a host,” said Patrick Harper, CTO at PGi, based in Atlanta.

Up to 125 people can participate in one meeting, although the platform should support conferences of up to 300 to 500 people eventually, Harper said. PGi’s around-the-clock customer support is quicker to access in the 5.0 interface, allowing hosts to chat with company representatives during meetings.   

Wainhouse Research, which provided consulting services to PGi while the vendor was developing GlobalMeet 5.0, predicted that personalized web-based conferencing (PWC) platforms like GlobalMeet will soon take prominence over stand-alone dial-in audio services, or the traditional conference call.

Wainhouse, based in Duxbury, Mass., projected the PWC market and the stand-alone audio market will each generate $2.8 billion in revenues globally in 2018. Historically, the audio market had been “dramatically bigger” than the web conferencing market, said Marc Beattie, senior analyst at Wainhouse.

“The reason that people are moving to PWC in general, and why they would move to 5.0, is it’s a richer experience,” Beattie said. “I can do what I need to do if I need to do it, instead of having to pivot between different applications.”

Moving ReadyTalk Meeting, iMeet customers to GlobalMeet

PGi’s web conferencing portfolio also includes iMeet and ReadyTalk Meeting. The company plans to migrate users off those products to GlobalMeet, starting with iMeet customers sometime in 2018. PGi is still deciding exactly how and when to transition its ReadyTalk Meeting clients.

Not all the features in iMeet and ReadyTalk are expected to become a part of GlobalMeet. For example, PGi does not plan to carry over the webinar and webcast platforms available in the other products.

PGi has been under pressure to consolidate what was becoming an unwieldy product portfolio. A December 2017 report on visual collaboration by Aragon Research Inc., based in Morgan Hill, Calif., cited PGi’s overlapping product offerings as the company’s weakness.

Siris Capital Group LLC, a New York-based private equity firm that also owns Polycom, bought PGi for roughly $1 billion in 2015. PGi, which boasts 45,000 customers worldwide, competes with web conferencing providers BlueJeans, Zoom, Fuze, Microsoft and Cisco.

Web-based video platforms replacing hardware

PGi’s reboot of GlobalMeet comes as companies are spending less on video conferencing hardware. Sales of video endpoints are expected to drop nearly 17% between 2017 and 2022, as businesses turn to cloud platforms and web-based applications for video, said Rich Costello, a senior research analyst with IDC.

Nemertes Research, meanwhile, predicted around 72% of the 700 businesses it surveyed around the world will use cloud-based web conferencing of some kind in 2018, up from 63% in 2017.

Today, the market is open to small and large vendors because companies are willing to test different web conferencing tools as they develop an overall unified communications strategy, said Irwin Lazar, an analyst at Nemertes, based in Mokena, Ill. Companies often find the offerings of PGi and Zoom, for example, easier to use than what’s included in the UC platforms of vendors like Microsoft or Avaya, he said.

By 2021, spending on cloud video conferencing will reach $739 million worldwide, more than double the $351 million in revenue in 2016, according to a July 2017 study by London-based IHS Markit.

Gemalto Sentinel flaws could lead to ICS attacks

A long disclosure and remediation process between security researchers and a hardware token vendor resulted in patches for  dangerous flaws that could have led to attacks on critical infrastructure.

Researchers from Kaspersky Lab ICS CERT said they decided to investigate Gemalto Sentinel USB tokens after penetration tests showed the “solution provides license control for software used by customers and is widely used in ICS and IT systems.”

“The solution’s software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required,” Kasperksy researchers wrote in a report. “From researchers’ viewpoint, [the Gemalto Sentinel software] exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header — either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol.”

Kaspersky ICS CERT ultimately found 14 vulnerabilities in Gemalto SafeNet Sentinel tokens, the most critical of which “can be used without local privilege escalation — the vulnerable process runs with system privileges, enabling malicious code to run with the highest privileges.”

Vladimir Dashchenko, head of the ICS CERT vulnerability research team at Kaspersky Lab, told SearchSecurity this issue needs attention because “some of the ICS vendors use such license managers for SCADA software.”

“Some vulnerabilities that we found allow remote code execution, meaning an attacker can access someone else’s computing device and make their own changes. For example, vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the same privileges as the user running the application,” Dashchenko said via email. “Some vulnerabilities are denial-of-service (DoS) vulnerabilities, meaning an attacker has the ability to shut down a machine or network, making it unavailable to its intended users. DoS does not cause machine or network shutdown. It stops the vulnerable process. However in some cases it could possibly cause denial of service for the machine.”

Paul Brager Jr., technical product security leader at Houston-based Baker Hughes and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said the “potential implications and risks for ICS are not trivial.” 

“Open ports that allow remote interaction with engineering workstations or servers that run human machine interface or other process-oriented software licenses managed by this solution could lead to an impact to the software itself, the control assets that are managed by the software, or both,” Brager told SearchSecurity. “Worst case scenario is an impact to the processes that are being governed by the licensed solution — some of which could be critical operating processes. Also given the care that is required when patching, the risks could persist for some time.”

Gemalto Sentinel disclosure and patching

The timeline of the disclosure and patching and issues with communication from Gemalto caught the attention of the researchers. According to Kaspersky, the first set of vulnerabilities was reported to Gemalto in early 2017, but it wasn’t until late June “in response to our repeated requests” that Kaspersky received a reply.

Dashchenko clarified the timeline and noted that although Gemalto claimed it “notified all of its customers of the need to update the driver via their account dashboards; we were contacted by several developers of software that use this server, and it became clear they were not aware about the issue.”

“We have informed and sent to the vendor information regarding all of the identified vulnerabilities. In early 2017, we sent information about 11 vulnerabilities and in late June the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, along with a new version of the driver, could be found on the company’s internal user portal. On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. On July 21, the vendor released a private notice about a new driver version — without any mention of the vulnerabilities closed.”

Gemalto did not respond to requests for comment at the time of this post.

Dashchenko added that Gemalto Sentinel is a “very popular licensing solution,” and noted that an advisory from Siemens listed 16 solutions that need patching against these issues.

Ken Modeste, global principal engineer at Chicago-based Underwriters Laboratories, said patching ICS is complex so users may be wary of the Gemalto Sentinel issues.

The risk associated with either down time or inadvertent failures … will typically be too high for end-users to accept.
Ken Modesteglobal principal engineer at Chicago-based Underwriters Laboratories

“Factory automation and connected control systems are vetted, tested, reliable systems. Deploying patches that have not seen significant runtime and test time can cause significant issues. Most of the implemented systems have requirements around safety, reliability and uptime. Therefore, deploying a patch to software or an embedded product can affect an operational system,” Modeste told SearchSecurity. “The risk associated with either down time or inadvertent failures associated with a patch of either the inherent device or software, or its interaction with other devices and software, will typically be too high for end-users to accept.”

Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS cybersecurity company headquartered in San Francisco, said patching is especially important because “while blocking port 1947 is an option to mitigate the problem, it is also not a solution that is suited for all business processes.”

“Blocking this port could result in the cessation of integral services as well,” Carullo told SearchSecurity. “ICS operators could have strong visibility into the network by applying technologies that are able to monitor the traffic passively to detect anomalies or suspicious activities. These technologies should also be integrated with the firewall to increase the needed visibility in such scenarios.”

Brager said the risks of patching the Gemalto Sentinel issues “could be significant, given the pervasiveness of the SafeNet solution in both enterprise and OT/ICS environments.”

“Particularly concerning is the pervasiveness of the solution in control system environments, and what could potentially mean for assets that leverage the SafeNet dongle solution to operate,” Brager said. “In those instances, patching those systems can be a significant (and time consuming) undertaking. Enterprise patching may not be nearly as complex and critical, but it too comes with its own sets of risks.”

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Dual 22″ monitor setup: 2xIIYAMA E2200WS monitors and Duronic arm

Forgive the mess, in the process of clearing out the garage.

Monitors also include their original stands. Stand allows rotation and positioning of monitors how you like. I was using one for looking at A4 datasheets and the other for general work.

Monitors are dual DVI/VGA input. I will bundle mains, VGA and DVI-D -> HDMI leads.

Native panel resolution for the IIYAMA monitors is 1680×1050.
Duronic mount retails at £70 currently, so £75 for the lot is a bargain.

Stand is here:https://www.amazon.co.uk/Duronic-DM…&sr=8-8&keywords=duronic+monitor+dual+monitor

All in good working condition, monitors are clean without significant marks.
Won’t ship, too much hassle to pack this all up safely to have to travel uninsured.

DSC_3624.JPG

DSC_3625.JPG

DSC_3626.JPG

DSC_3627.JPG

Price and currency: £75
Delivery: Goods must be exchanged in person
Payment method: Cash on collection
Location: Norwich or Ely, UK
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

Federal vulnerability review under new VEP still has questions

Experts said the new Vulnerabilities Equities Process Charter unveiled by the White House should be a good step, but argued the value of VEP overall.

Daniel Castro, vice president for the Information Technology and Innovation Foundation (ITIF), an independent research institute, based in Washington, D.C., said the government’s overall cybersecurity policy is still flawed, but the new VEP Charter “is exactly the right policy.”

“The administration has clearly heard the requests for transparency and oversight from many stakeholders, and it has addressed those concerns head on. Now that we have a fully documented process and commitments to publish annual metrics, businesses, security experts, academics, and government officials can start to have a productive debate about how to assess and improve the disclosure process,” Castro said in a statement released by ITIF. “It remains to be seen how receptive the administration will be to reassessing when to share information on vulnerabilities, but its decision today was the right move to build up goodwill among many stakeholders.”

Balancing vulnerability disclosure

However, the VEP overall is still divisive because experts cannot agree on whether to prioritize offensive cyber capabilities or defensive when it comes to federal vulnerability review and disclosure.

In the VEP Charter announcement, Rob Joyce, special assistant to the president and cybersecurity coordinator for the National Security Council, said that “conducting this risk/benefit analysis is a vital responsibility of the federal government.”

“There are advocates on both sides of the vulnerability equity issue who make impassioned arguments. Some argue that every vulnerability should be immediately disclosed to the vendor and patched,” Joyce wrote in the announcement. “In my view, this is tantamount to unilateral disarmament. Our adversaries, both criminal and nation state, are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities.”

Katie Moussouris, CEO of Luta Security, Inc., said Joyce’s statement “is a false dichotomy between 100% disclosure, versus the current process that puts 0-day vulnerabilities at the heart of the matter.”

“My assertion has always been to err on the side of disclosure to the vendor, and seek a mission-focused alternative to using zero-day vulnerabilities in broadly-deployed software,” Moussouris told SearchSecurity. “In some cases, not all, the objective of the mission could be completed via other means, such as exploiting misconfigurations, or well-crafted phishing attacks, or even via zero-day exploits in localized, country-specific software instead. Exploitation of vulnerabilities for which a patch exists but hasn’t been applied on the target system yet is one such alternative.”

J.J. Guy, CTO of JASK, a cybersecurity company based in San Francisco, and former officer in the U.S. Air Force, said it is a flawed argument to claim that vulnerability review and disclosure by the government can keep enterprises safe because “it assumes vulnerabilities are finite and if we can simply fix all the vulnerabilities we will be secure.”  

“If the federal government is forced to release the details of newly discovered vulnerabilities, they will stop looking for them. To do otherwise is a waste of taxpayer dollars. The other intelligence agencies in the world will not be similarly constrained, they will continue their research and discover new vulnerabilities. They will use those against U.S. interests, including those of U.S. companies, to steal intellectual property and accelerate research and development of their own companies,” Guy told SearchSecurity. “For every vulnerability the federal government discovers, there are a dozen others still waiting to be discovered – and dozens more that will be introduced in new versions of software over the following year. To attempt to control that through the VEP is like using an umbrella in a hurricane.”

Experts debate the details of the VEP Charter

Although several experts said the new VEP Charter was a step in the right direction for federal vulnerability review, the document was not perfect.

Willis McDonald, senior threat manager at Core Security, a cybersecurity company headquartered in Roswell, Ga., noted an odd discord in the White House announcement which claimed to represent the interests of commercial equities and international partnership equities, but the VEP council “does not include any representation from either commercial or international entities.”

“For national security purposes this is an obvious exclusion but closes the door on external oversight of decisions deemed in the interest of national security. The VEP Charter limits the scope of vulnerabilities addressed by the council to certain classes which allows the reporting entity to report as they see fit vulnerabilities outside of the VEP scope,” McDonald told SearchSecurity. “Vulnerabilities discovered and shared by international partners are not addressed by the VEP, which would allow a participating entity to report the vulnerability as they see fit. The VEP merely expands the agency participants in procedures and councils already in place for making decisions on reporting vulnerabilities.”

Legislation like PATCH and the VEP Charter are in place to calm the public and paint a facade of transparency rather than actually cause change.
Willis McDonaldsenior threat manager at Core Security

Amie Stepanovich, U.S. policy manager at Access Now, a non-profit human rights and public policy group based in New York, said the new VEP Charter “maintains all of the loopholes of the process as it was previously formulated, and in fact creates new ones as well because of the Charter’s own recognition of the importance of cybersecurity, which is specifically undermined by unpatched vulnerabilities.”

“The VEP appears to apply to any vulnerability that is newly discovered and not publicly known, though third parties can expressly contract or agree that a vulnerability will not go through the process,” Stepanovich told SearchSecurity. “There are also other exceptions which remain classified. Additionally, practically it will require an agency determination that a vulnerability meets that standard and is unclear if they are required to consider that determination with a vulnerability that they discover.”

Early reactions to the VEP Charter said one potential loophole might be with non-disclosure agreements (NDAs) being able to keep a bug out of the federal vulnerability review process, but Moussouris said this reading might not be accurate.

“The NDA mention is likely in reference to the fact that exploit sellers may have terms of service that require their buyers not to disclose the vulnerability, such as providing the sample to the affected vendor. It’s not a loophole as characterized, but rather a deliberate commercial term by the exploit vendor to preserve their IP,” Moussouris said. “A bug is the weakness that can be exploited. An exploit in this context is software written to take advantage of that weakness, and it takes craftmanship to engineer an exploit that works reliably against a given target. That exploit is something the exploit vendor might not want to get into the hands of the software vendor.”

Heather West, senior policy manager and Americas principal at Mozilla, agreed that the exceptions process of the VEP needed work and said there needed to be more detail on how disclosures work.

“A good disclosure makes the difference. The Charter requires the board to agree on guidelines about how to disclose — and we hope that they lean on the established expertise at DHS to put those together. No need to reinvent the wheel,” West wrote in a blog post. “Joyce talked about a six month window for retaining a vulnerability, and a quicker reconsideration for a particularly sensitive vulnerability (or one that there isn’t broad agreement about retaining). This reconsideration is critical: just because something is useful today doesn’t make it useful in six months — and indeed, the longer that it is kept, the more likely that someone else has discovered it too.”

VEP and federal vulnerability review transparency

McDonald said the overall push for transparency with the new VEP Charter could “ultimately be just as effective as policies in place prior.”

“Legislation like [the proposed PATCH Act] and the VEP Charter are in place to calm the public and paint a facade of transparency rather than actually cause change,” McDonald said. “Vulnerabilities such as those used in WannaCry would never have been released through VEP due to their usefulness in providing access to remote systems for collection purposes.”

West said the annual reports should lead to better oversight of the federal vulnerability review process.

“This will significantly help us understand how the process works — including whether or not the government is stockpiling vulnerabilities,” West wrote. “While Congress is not involved in the individual decisions that are made, they have a critical role in the oversight of the process itself.”

Stepanovich agreed “much more remains to be done” with the transparency provisions of the VEP Charter.

“Annual reports should guarantee that they will be made publicly available,” Stepanovich said. “Additionally, the Charter should specify more about what is included in the report, including not only the number of withheld vulnerabilities, but their severity and potential impact, as well as records of the frequency each agency votes to disclose or retain a vulnerability.”