EFF Questions US Government's Software Flaw Disclosure Policy

angry tapir writes: It's not clear if the U.S. government is living up to its promise to disclose serious software flaws to technology companies, a policy it put in place five years ago, according to the Electronic Frontier Foundation. They write, "ODNI has now finished releasing documents in response to our suit, and the results are surprisingly meager. Among the handful of heavily redacted documents is a one-page list of VEP 'Highlights' from 2010. It briefly describes the history of the interagency working group that led to the development of the VEP and notes that the VEP established an office called the 'Executive Secretariat' within the NSA. The only other highlight left unredacted explains that the VEP 'creates a process for notification, decision-making, and appeals.' And that's it. This document, which is almost five years old, is the most recent one released. So where are the documents supporting the 'reinvigorated' VEP 2.0 described by the White House in 2014?"

No new policy

The summary states:
"...This document, which is almost five years old, is the most recent one released. So where are the documents supporting the 'reinvigorated' VEP 2.0 described by the White House in 2014?""

The phrase "reinvigorated" appears in the link cited in this sentence:
This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities

(emphasis mine)

So, the summary is misleading: the White House did not announce a new policy; the link clearly and unambiguously states that they are continuing "existing policy." There are no documents supporting the 'reinvigorated' VEP 2.0 because there is no "VEP 2.0"-- the blog cited states that they are continuing existing policy. In short: "ain't nothing changed."

Read your own links, summarizers.