Expert warns U.S. against vulnerability reporting mandate

The U.S. government has been warned against implementing early vulnerability reporting mandates recently adopted by China, which could only significantly increase the odds of improper zero-day flaw management, SecurityWeek reports. Vulnerabilities should only be initially known by organizations responsible for developing fixes prior to patch availability, according to Luta Security CEO Katie Moussouris. "Adding government entities to the embargo during vulnerability coordination and disclosure will not meaningfully add to our safety, but it does meaningfully and dramatically increase the risk of a leak before a patch is ready," said Moussouris. Moreover, having the government aggregate all vulnerabilities in a single repository may lead to catastrophic results in the event of potential compromise. "We will not see an increase in our cyber resilience by fashioning laws to artificially bring the government into Coordinated Vulnerability Disclosure as an observing party to unpatched vulnerabilities. What we do need are more organizations around the world who are prepared with asset lists, SBOMs, and well-oiled vulnerability response capabilities that are ready, able, and willing to help collectively defend the Internet that we all share," she added. Moussouris' statements come after the Cyber Safety Review Board noted that China's new policy mandating the reporting of vulnerabilities to the government two days prior to patch availability could lead to "a window in which to exploit vulnerabilities before network defenders can patch them."