Fourth time around for vulnerability disclosure bill

A bill to require the government to give Congress details about the practice of stockpiling zero-day bugs is getting a fourth chance to become law.

Rep. Sheila Jackson Lee (D-Texas), one of the most senior Democrats of the House Homeland Security Committee, reintroduced the Cybersecurity Vulnerability Disclosure Act earlier this month. The legislation would require the secretary of the Department of Homeland Security to report annually on government policies and processes for sharing information obtained by government agencies on flaws contained in commercially available software and computer systems.

Under the bill, the DHS secretary would also be required to report specific instances of vulnerability disclosures and industry responses to information shared by DHS and other federal entities. 

Jackson Lee's bill passed the House of Representatives on a voice vote in 2018, but did not get a vote in the Senate. Before that vote, the Texas Democrat argued that the bill "will give this body important information on our governmentwide efforts to secure civilian agency networks and the collaborative ongoing work to provide information to private sector partners on computing vulnerabilities."

The lawmaker offered the bill again in 2019 and 2021, but it never received a House vote. It's not clear how the bill will fare in 2023 under the current Congress.

Although the bill hasn't yet become law, interest in whether the government was stockpiling zero-day bugs for its own use spurred the public release of some details on the vulnerability disclosure process under the Trump administration. This move followed the hack-and-dump of National Security Agency-held exploits by the hacking group Shadow Brokers in 2017.

Under the bill, DHS would have 240 days to produce its first report.