The business of offensive cyber operations and intelligence gathering increasingly requires the military and intelligence community to exploit networks, hardware, and software owned or produced by American companies and used by American citizens. Sometimes this exploitation occurs with the use of zero-day vulnerabilities. In order to determine when zero-day vulnerabilities should be exploited versus disclosed to the relevant vendor so that the vulnerability can be patched, the United States government engages in an interagency process known as the Vulnerabilities Equities Process or VEP.
Stephanie Pell sat down with Dr. Lindsey Polley, director of defense and national security at Starburst Aerospace, to talk about her recently defended dissertation, “To Disclose or Not to Disclose, That Is the Question: A Methods-Based Approach for Examining & Improving the US Government's Vulnerabilities Equities Process.” They discussed the purpose of the VEP, how it is structured to operate, and how its current state and structure impedes its ability to promote longer-term social good through its vulnerability adjudications. They also talked about some of Lindsey's recommendations to improve the VEP.