PATCH Act Is Important Step Forward on Federal Responsible Disclosure Policy

May 17, 2017

WASHINGTON—The Information Technology and Innovation Foundation (ITIF), the top-ranked U.S. science- and tech-policy think tank, today released the following statement from Daniel Castro, ITIF vice president, on the introduction of the Protecting Our Ability to Counter Hacking (PATCH) Act by Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO), and Representatives Ted Lieu (D-CA) and Blake Farenthold (R-TX):

Every year, the federal government discovers countless vulnerabilities in software and hardware products used by millions of American businesses and individuals. But instead of responsibly disclosing this information to the developers who can fix these flaws, the U.S. government will sometimes hoard these vulnerabilities to use against others. Without this information, these systems are left vulnerable to hackers who can wage cyber attacks against America and its allies. The PATCH Act is a critical step forward to reform this broken process. The legislation will bring needed transparency to the vulnerabilities equities process (VEP) and balance national security interests with economic interests. Moreover, disclosing vulnerabilities to companies in a timely manner will allow them to develop patches sooner and help keep the nation secure.