11 comments

[ 0.22 ms ] story [ 48.3 ms ] thread
Just what I thought security policies and standards couldn't get any worse now we have Congress trying to dictate what a secure is.
Big tech lobbyists will kill it in the Senate. What they should have done is make it so "no warranties/liablity" in software licenses don't apply to damages caused by known CVEs. Then everyone is protected, not just DoD.
The DoD is not worried about lawsuits. Is it really not clear why the DoD is not ok with no warranties software?
House should pass bill that congress can't have any equities
It looks like the policy isn't as rigid as this tweet suggests – the next couple bullets in the bill appear to say you can have known vulnerabilities so long as they're explicitly disclosed and have a mitigation plan. The full text is at https://www.congress.gov/bill/117th-congress/house-bill/7900..., heading "SEC. 6722. DHS SOFTWARE SUPPLY CHAIN RISK MANAGEMENT."

The wording is left a little ambiguous though since there's no "and"s & "or"s to join those bullets (1)-(3). I've never understood why they can't use more standardized boilerplate in legal text for and/or/xor logical clauses, to eliminate that kind of issue.

For that matter, I also don't get why this official congress.gov site can't manage to support basic anchor links! Or even better yet, links that automatically resolve references like "subsections (b)(1)" in the text of the bill...

Am I the only one to wonder what CVEs are?
Common Vulnerabilities and Exposures, essentially no unpatched holes allowed.
Now, I wonder what about the vulnerabilities that NSA knows, or have introduced. Then again those are only known to them. So it is probably fine.