Today, White House Cybersecurity Coordinator Rob Joyce released information about the Vulnerability Equities Process (VEP), which determines whether the U.S. government discloses or exploits cybersecurity flaws that it finds or learns about in companies’ products and services. The White House also said that it will release statistics on how many vulnerabilities are disclosed versus retained for later exploitation. The complicated and important process has implications for cybersecurity, privacy, and economic competitiveness, and the Center for Democracy & Technology (CDT) has previously pushed for the process to be more transparent to the public.
“The VEP charter makes clear that government-discovered vulnerabilities should be disclosed unless there is a demonstrable law enforcement or intelligence reason to retain them,” said Michelle Richardson, Deputy Director of CDT’s Freedom, Security, and Technology Project. “This formal and public government policy is unprecedented and should prevent the government from amassing vulnerabilities for later use.”
Richardson added, “The list of considerations to guide any single determination clearly recognizes how high the stakes are, and we hope the forthcoming statistics reflect the charter’s preference for protecting the health of the internet and its users. Government hacking may be a necessary evil, but it still can be conducted in a targeted, thoughtful way.”