The New Vulnerabilities Equities Policy and Process Charter

By MDL on November 16, 2017

An updated “Vulnerabilities Equities Policy and Process for the United States Government” charter was released on 15 NOV 2017 and describes the decision-making process for determining whether new vulnerabilities found by US government departments and agencies are disclosed or restricted.  

According to the White House Fact Sheet (pdf) on the Vulnerability Equities Process (VEP), the new charter “determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence gathering purposes.”

Rob Joyce, White House Cybersecurity Coordinator, outlined “key tenets” of the new The Vulnerability Equities Process (VEP) in a White House blog post about the process

  • Improved transparency is critical.
  • The interests of all stakeholders must be fairly represented.
  • Accountability of the process and those who operate it is important to establish confidence in those served by it.
  • Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate.

Joyce discussed the difficulties that accompany updating the VEP in his White House blog post, “The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.”

The White House Fact Sheet on the VEP (pdf) states that “new and not publicly known cyber vulnerabilities are reviewed by multiple departments and agencies to determine whether they should be disclosed to the public using what is known as the VEP. At its most basic, the VEP balances whether to disclose vulnerability information in the expectation that the vulnerability will be patched, or temporarily restrict the knowledge of the vulnerability to the Federal Government so it can be used for national security or law enforcement purposes.”

Joyce, formerly of the National Security Agency, would be familiar with what he describes as  “the tension that exists between the desire to publicize every vulnerability discovered by the Federal Government in the conduct of its law enforcement and national security responsibilities and the need to preserve some select capability for action against extremely capable actors whose actions might otherwise go undiscovered and unchecked.”


The White House, Vulnerabilities Equities Policy and Process

for the United States Government

The White House, White House Fact Sheet on VEP

The White House blog (Rob Joyce), Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do

Fifth Domain, White House calls for greater transparency in cyber Vulnerability Equities Process

Dark Reading, White House Releases New Charter for Using, Disclosing Security Vulnerabilities