"Protecting Our Ability to Counter Hacking Act of 2017," May 17, 2017. Unclassified.
National Security Archive
The PATCH Act of 2017 tried to lock down a formal, inter‑agency board to decide when the U.S. should keep a software flaw secret or force a patch.
Source: "Protecting Our Ability to Counter Hacking Act of 2017," May 17, 2017. Unclassified. Date: May 17, 2017 Archive: senate.schatz.gov .
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
The PATCH Act in Context
On May 17, 2017 Senator Brian Schatz (D‑Hawaii) introduced the “Protecting Our Ability to Counter Hacking Act of 2017” (commonly called the PATCH Act). The bill was a direct response to a growing recognition within the intelligence community that the United States was systematically withholding knowledge of software and hardware vulnerabilities—sometimes for years—while those same flaws were being weaponized by foreign adversaries. The immediate catalyst was the public outcry after the 2015–2016 disclosures by former NSA contractor Edward Snowden, which revealed that the agency maintained a “Vulnerability Equities Process” that deliberately chose not to disclose certain bugs to vendors. Law‑makers, industry groups, and civil‑rights advocates pressed for a more transparent, inter‑agency mechanism. The PATCH legislation sought to codify such a process in law, creating the Vulnerability Equities Review Board (VERB) as a standing body to weigh the national‑security benefits of secrecy against the broader public‑interest of patching.
Institutional Architecture and Power Dynamics
The bill’s text outlines a board composed of senior officials from the Department of Homeland Security, the FBI, the Office of the Director of National Intelligence, the CIA, the NSA, and the Department of Commerce, with the DHS Secretary serving as chair. This composition reflects an implicit hierarchy: law‑enforcement and intelligence agencies dominate, while the Commerce Secretary—representing the private‑sector technology community—acts as the sole commercial voice. The provision for ad‑hoc members (State, Treasury, Energy, FTC) signals that the board would be called upon whenever a vulnerability intersected diplomatic, financial, energy‑security, or consumer‑protection realms. The inclusion of National Security Council participants “with the approval of the President” underscores the executive’s ultimate gate‑keeping role.
The definitions section is telling. By carefully distinguishing “publicly known” information from classified material, the bill attempts to prevent the government from treating a vulnerability as “public” simply because it has been leaked or inadvertently disclosed. The language that a vulnerability is not “publicly known” if it is “inappropriately released” acknowledges the reality of accidental disclosures while preserving the board’s authority to treat such data as classified.
What the Draft Reveals About Policy Priorities
Beyond bureaucratic structure, the act’s substantive provisions reveal the administration’s strategic calculus. The board is tasked with establishing policies on whether, when, how, and to whom non‑public vulnerabilities may be shared. The mandated timeline—draft policies to Congress within 180 days, public release of unclassified drafts within 240 days—signals a desire for rapid yet accountable rule‑making. The required consideration factors (critical infrastructure, economic impact, risk of exploitation, likelihood of detection) map directly onto the classic “risk‑vs‑reward” debate that has haunted intelligence officials since the early 2000s.
Notably, the bill obliges every federal agency that learns of a non‑public vulnerability to submit the information to the VERB. This creates a centralized funnel, curbing the previously ad‑hoc, agency‑specific decisions that allowed the NSA to retain exploits for offensive use. The act also anticipates legal challenges: it calls for the board to publish unclassified policy drafts, offering a degree of transparency that could be used by Congress or the courts to assess compliance.
Legacy and Continuing Relevance
Although the PATCH Act never became law, its core concepts were absorbed into subsequent executive actions. In 2018 the Trump administration issued a presidential memorandum establishing a Vulnerabilities Equities Process, mirroring many of the board’s duties and timelines. The ongoing debate over the “zero‑day” market—whereby U.S. agencies allegedly sell exploits to allies or private contractors—still hinges on the same questions the PATCH bill tried to codify.
For historians, the PATCH legislation is a snapshot of a moment when legislative oversight attempted to wrestle the opaque world of cyber‑offense from the intelligence community. Its detailed procedural blueprint provides a rare, concrete reference point for scholars tracing the evolution of U.S. cyber‑policy governance. The act’s emphasis on inter‑agency coordination, transparent policy drafting, and explicit risk assessments continues to shape how policymakers think about balancing national security with the public’s right to a secure digital ecosystem.
BAG17434 S.L.C.
115TH CONGRESS 1ST SESSION S. ______
To establish the Vulnerability Equities Review Board, and for other purposes.
IN THE SENATE OF THE UNITED STATES
Mr. SCHATZ (for himself, Mr. JOHNSON, and Mr. GARDNER) introduced the following bill; which was read twice and referred to the Committee on
A BILL
To establish the Vulnerability Equities Review Board, and for other purposes.
1 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, 2 3 SECTION 1. SHORT TITLE. 4 This Act may be cited as the “Protecting Our Ability to Counter Hacking Act of 2017” or “PATCH Act of 5 2017”. 6 7 SEC. 2. VULNERABILITY EQUITIES REVIEW BOARD. 8 (a) DEFINITIONS.—In this section:
BAG17434 S.L.C. 2 1 (1) FEDERAL AGENCY.—The term “Federal 2 agency” has the meaning given such term in section 3 551 of title 5, United States Code. 4 (2) PUBLICLY KNOWN.— 5 (A) IN GENERAL.—Except as provided in 6 subparagraph (B), the term “publicly known”, 7 with respect to information regarding a vulner- 8 ability, means information that— 9 (i) is— 10 (I) a verbal or electronic presen- 11 tation or discussion in a publicly ac- 12 cessible domain; or 13 (II) in a paper or other published 14 documentation in the public domain; 15 and 16 (ii) that specifically discusses the vul- 17 nerability and how the vulnerability could 18 be exploited. 19 (B) CLASSIFIED MATERIAL.—Information 20 about a vulnerability shall not be considered 21 “publicly known” if the information is currently 22 protected as classified and has been inappropri- 23 ately released to the public.
BAG17434 S.L.C. 3 1 (3) VENDOR.—The term “vendor”, with respect 2 to a technology, product, system, service, or applica- 3 tion, means the person who— 4 (A) developed the technology, product, sys- 5 tem, service, or application; or 6 (B) is responsible for maintaining the tech- 7 nology, product, system, service, or application. 8 (4) VULNERABILITY.—The term “vulnerability” 9 means a design, configuration, or implementation 10 weakness in a technology, product, system, service, 11 or application that can be exploited or triggered to 12 cause unexpected or unintended behavior. 13 (b) ESTABLISHMENT.—There is established the Vul- 14 nerability Equities Review Board (in this section the 15 “Board”). 16 (c) MEMBERSHIP.— 17 (1) PERMANENT MEMBERS.—The permanent 18 members of the Board consist of the following: 19 (A) The Secretary of Homeland Security, 20 or the designee of the Secretary, who shall be 21 the chair of the Board. 22 (B) The Director of the Federal Bureau of 23 Investigation, or the designee of the Director. 24 (C) The Director of National Intelligence, 25 or the designee of the Director.
BAG17434 S.L.C. 4 1 (D) The Director of the Central Intel- 2 ligence Agency, or the designee of the Director. 3 (E) The Director of the National Security 4 Agency, or the designee of the Director. 5 (F) The Secretary of Commerce, or the 6 designee of the Secretary. 7 (2) AD HOC MEMBERS.—The Board shall in- 8 clude as members, on an ad hoc basis, the following: 9 (A) The Secretary of State, or the designee 10 of the Secretary, when the Board considers 11 matters under the jurisdiction of such sec- 12 retary. 13 (B) The Secretary of the Treasury, or the 14 designee of the Secretary, when the Board con- 15 siders matters under the jurisdiction of such 16 secretary. 17 (C) The Secretary of Energy, or the des- 18 ignee of the Secretary, when the Board con- 19 siders matters under the jurisdiction of such 20 secretary. 21 (D) The Federal Trade Commission, or the 22 designee of the Commission, when the Board 23 considers matters relating to the Commission. 24 (3) OTHER PARTICIPANTS.—Any member of the 25 National Security Council under section 101 of the
BAG17434 S.L.C. 5 1 National Security Act of 1947 (50 U.S.C. 3021) 2 who is not a permanent or ad hoc member of the 3 Board may, with the approval of the President, par- 4 ticipate in activities of the Board when requested by 5 the Board. 6 (d) DUTIES.— 7 (1) POLICIES.— 8 (A) IN GENERAL.—The Board shall estab- 9 lish policies on matters relating to whether, 10 when, how, to whom, and to what degree infor- 11 mation about a vulnerability that is not publicly 12 known should be shared or released by the Fed- 13 eral Government to a non-Federal entity. 14 (B) AVAILABILITY TO THE PUBLIC.—To 15 the degree that the policies established under 16 subparagraph (A) are unclassified, the Board 17 shall make such policies available to the public. 18 (C) DRAFT POLICIES.— 19 (i) SUBMITTAL TO CONGRESS.— 20 (I) IN GENERAL.—Not later than 21 180 days after the date of the enact- 22 ment of this Act, the Board shall sub- 23 mit to Congress and the President a 24 draft of the policies required by sub- 25 paragraph (A), along with a descrip-
BAG17434 S.L.C. 6 1 tion of any challenges or impediments 2 that may require legislative or admin- 3 istrative action. 4 (II) FORM.—The draft submitted 5 under subclause (I) shall be in unclas- 6 sified form, but may include a classi- 7 fied annex. 8 (ii) PUBLICATION.—Not later than 9 240 days after the date of the enactment 10 of this Act, the Board shall make available 11 to the public a draft of the policies re- 12 quired by subparagraph (A), to the degree 13 that such policies are unclassified. 14 (2) REQUIREMENT.—The head of each Federal 15 agency shall, upon obtaining information about a 16 vulnerability that is not publicly known, subject such 17 information to the process established under para- 18 graph (3)(A). 19 (3) PROCESS.— 20 (A) IN GENERAL.—The Board shall estab- 21 lish the process by which the Board determines 22 whether, when, how, to whom, and to what de- 23 gree the Federal Government shares or releases 24 information to a non-Federal entity about a vul- 25 nerability that is not publicly known.
BAG17434 S.L.C. 7 1 (B) CONSIDERATIONS.—The process estab- 2 lished under subparagraph (A) shall include, 3 with respect to a vulnerability, consideration of 4 the following: 5 (i) Which technologies, products, sys- 6 tems, services, or applications are subject 7 to the vulnerability, including whether the 8 products or systems are used in core Inter- 9 net infrastructure, in other critical infra- 10 structure systems, in the United States 11 economy, or in national security systems. 12 (ii) The potential risks of leaving the 13 vulnerability unpatched or unmitigated. 14 (iii) The harm that could occur if an 15 actor, such as an adversary of the United 16 States or a criminal organization, were to 17 obtain information about the vulnerability. 18 (iv) How likely it is that the Federal 19 Government would know if someone exter- 20 nal to the Federal Government were ex- 21 ploiting the vulnerability. 22 (v) The need of the Federal Govern- 23 ment to exploit the vulnerability.
BAG17434 S.L.C. 8 1 (vi) Whether the vulnerability is need- 2 ed for a specific ongoing intelligence or na- 3 tional security operation. 4 (vii) If a Federal entity would like to 5 exploit the vulnerability to obtain informa- 6 tion, whether there are other means avail- 7 able to the Federal entity to obtain such 8 information. 9 (viii) The likelihood that a non-Fed- 10 eral entity will discover the vulnerability. 11 (ix) The risks to foreign countries and 12 the people of foreign countries of not shar- 13 ing or releasing information about the vul- 14 nerability. 15 (x) Whether the vulnerability can be 16 patched or otherwise mitigated. 17 (xi) Whether the affected non-Federal 18 entity has a publicly disclosed policy for re- 19 porting and disclosing vulnerabilities. 20 (4) EXCLUSION FROM PROCESS OF 21 VULNERABILITIES PRESUMPTIVELY SHAREABLE OR 22 RELEASABLE.— 23 (A) IN GENERAL.—Under guidelines estab- 24 lished by the Board, a Federal agency may 25 share or release information to a non-Federal
BAG17434 S.L.C. 9 1 entity about a vulnerability without subjecting 2 such information to the process under para- 3 graph (3)(A) if the agency determines that such 4 information is presumptively shareable or re- 5 leasable. The guidelines shall specify the stand- 6 ards to be used to determine whether or not in- 7 formation is presumptively shareable or releas- 8 able for purposes of this paragraph. 9 (B) RULE OF CONSTRUCTION.—Subpara- 10 graph (A) shall not be construed to imply that 11 information which is determined under such 12 subparagraph to be presumptively shareable or 13 releasable is exempt from the requirements of 14 subparagraph (A) of paragraph (5) or the shar- 15 ing process established under subparagraph (B) 16 of such paragraph. 17 (5) DISSEMINATION OF INFORMATION ON 18 VULNERABILITIES.— 19 (A) SHARING THROUGH SECRETARY OF 20 HOMELAND SECURITY.— 21 (i) IN GENERAL.—In any case in 22 which the Board determines under para- 23 graph (3)(A) that information about a vul- 24 nerability not otherwise publicly known 25 should be shared with or released to an ap-
BAG17434 S.L.C. 10 1 propriate vendor, the Board shall provide 2 the information to the Secretary of Home- 3 land Security and the Secretary shall, on 4 behalf of the Federal Government, share or 5 release the information as directed by the 6 Board. 7 (ii) PRESUMPTIVELY SHAREABLE OR 8 RELEASABLE INFORMATION.—In any case 9 in which a Federal agency determines 10 under paragraph (4)(A) that information 11 about a vulnerability is presumptively 12 shareable or releasable, the Federal agency 13 shall provide such information to the Sec- 14 retary and the Secretary shall, on behalf of 15 the Federal Government, share or release 16 the information. 17 (B) SHARING PROCESS.— 18 (i) IN GENERAL.—Not later than 180 19 days after the date of the enactment of 20 this Act, the Secretary of Homeland Secu- 21 rity, in coordination with the Secretary of 22 Commerce, shall establish the process by 23 which the Secretary of Homeland Security 24 shares or releases information pursuant to 25 subparagraph (A).
BAG17434 S.L.C. 11 1 (ii) USE OF VOLUNTARY CONSENSUS 2 STANDARDS.—The Secretary shall ensure 3 that 4 (I) any sharing or release of in- 5 formation under subparagraph (A) is 6 made in accordance with voluntary 7 consensus standards for disclosure of 8 vulnerabilities; and 9 (II) the process established under 10 clause (i) is consistent with such 11 standards. 12 (C) INFORMATION NOT DETERMINED TO 13 BE SHAREABLE OR RELEASABLE.— 14 (i) IN GENERAL.—The policies under 15 paragraph (1) shall provide for— 16 (I) the periodic review of 17 vulnerabilities that are determined by 18 the Board, pursuant to the process es- 19 tablished under paragraph (3)(A), not 20 to be shareable or releasable, in order 21 to determine whether such 22 vulnerabilities may be shared or re- 23 leased in a manner consistent with the 24 national security interests of the 25 United States; and
BAG17434 S.L.C. 12 1 (II) the sharing with or releasing 2 to appropriate non-Federal entities of 3 information about vulnerabilities that 4 may be shared or released in a man- 5 ner consistent with the national secu- 6 rity interests of the United States fol- 7 lowing review under subclause (I). 8 (ii) IN CASE OF LATER BECOMING 9 PUBLICLY KNOWN.— 10 (I) IN GENERAL.—In the case of 11 a vulnerability that was not publicly 12 known and determined not to be 13 shareable or releasable pursuant to 14 clause (i)(I) and then subsequently 15 becomes publicly known, the vulner- 16 ability shall not be subject to the 17 process established under paragraph 18 (3)(A) and shall be subject to such 19 other Federal procedures and inter- 20 agency operation processes as may be 21 applicable, such as procedures and 22 processes established to carry out the 23 Cybersecurity Information Sharing 24 Act of 2015 (6 U.S.C. 1501 et seq.).
BAG17434 S.L.C. 13 1 (II) APPLICABILITY TO CLASSI- 2 FIED MATERIAL.—In this clause, sub- 3 paragraph (B) of subsection (a)(2) 4 shall not apply. 5 (e) COMPLIANCE.—Each head of a Federal agency 6 shall ensure that the agency complies with the policies 7 issued by the Board under this section. 8 (f) OVERSIGHT.— 9 (1) ANNUAL REPORTS BY BOARD.— 10 (A) IN GENERAL.—Not less frequently 11 than once each year, the Board shall submit to 12 the appropriate committees of Congress a re- 13 port on the activities of the Board and the poli- 14 cies issued under subsection (d). 15 (B) CONTENTS.—In addition to informa- 16 tion about the activities and policies described 17 in subparagraph (A), the report required by 18 such subparagraph shall also include the fol- 19 lowing: 20 (i) The frequency of meetings held by 21 the Board. 22 (ii) The aggregate number of 23 vulnerabilities reviewed by the Board.
BAG17434 S.L.C. 14 1 (iii) The number of vulnerabilities de- 2 termined by the Board to be shareable or 3 releasable. 4 (iv) The number of vulnerabilities de- 5 termined by the Board not to be shareable 6 or releasable. 7 (v) Such other matters as the Board 8 considers appropriate. 9 (C) AVAILABILITY TO THE PUBLIC.—For 10 each report submitted under subparagraph (A), 11 the Board shall make an unclassified version of 12 the report available to the public. 13 (2) ANNUAL REPORTS ON ACTIVITIES OF IGS.— 14 (A) IN GENERAL.—Not less frequently 15 than once each year, the Inspector General of 16 the Department of Homeland Security shall, in 17 consultation with the Inspectors General of 18 other Federal agencies whose work is affected 19 by activities of the Board, submit to the appro- 20 priate committees of Congress a report on the 21 activities of all such Inspectors General during 22 the preceding year in connection with the activi- 23 ties of the Board, the policies issued under sub- 24 section (d), and the sharing and releasing of in-
BAG17434 S.L.C. 15 1 formation about vulnerabilities pursuant to 2 such policies. 3 (B) AVAILABILITY TO THE PUBLIC.—For 4 each report submitted under subparagraph (A), 5 the Inspector General of the Department of 6 Homeland Security shall make an unclassified 7 version of the report available to the public. 8 (3) FORM.—Each report under paragraphs (1) 9 and (2) shall be submitted in unclassified form, but 10 may include a classified annex. 11 (4) REVIEW BY PRIVACY AND CIVIL LIBERTIES 12 OVERSIGHT BOARD.— 13 (A) IN GENERAL.—The Privacy and Civil 14 Liberties Oversight Board shall review each re- 15 port submitted under paragraph (1). 16 (B) CONSULTATION.—The Vulnerability 17 Equities Review Board may consult with the 18 Privacy and Civil Liberties Oversight Board as 19 the Vulnerability Equities Review Board con- 20 siders appropriate. 21 (5) APPROPRIATE COMMITTEES OF CONGRESS 22 DEFINED.—In this subsection, the term “appro- 23 priate committees of Congress” means— 24 (A) the Committee on Homeland Security 25 and Governmental Affairs, the Committee on
BAG17434 S.L.C. 16 1 Commerce, Science, and Transportation, and 2 the Select Committee on Intelligence of the 3 Senate; and 4 (B) the Committee on Homeland Security, 5 the Committee on Oversight and Government 6 Reform, the Committee on Energy and Com- 7 merce, and the Permanent Select Committee on 8 Intelligence of the House of Representatives.
NATIONAL
SECURITY
ARCHIVE
National Security Archive,
Suite 701, Gelman Library, The George Washington University,
2130 H Street, NW, Washington, D.C., 20037,
Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu