The public release of the Vulnerability Equities Process (VEP) charter by the White House in late 2017 went a long way toward satisfying the public’s curiosity about the secretive, high-profile and contentious process by which the U.S. government decides whether to temporarily withhold or publicly disclose zero-day software vulnerabilities—that is, vulnerabilities for which no patches exist. Just recently, the U.K.
Latest in VEP
When WikiLeaks shed light on the CIA’s stockpile of software vulnerabilities last week, it revived—but hardly clarified—the debate on whether the government hoards too many bugs. In principle, the interagency Vulnerability Equities Process (VEP) ensures that a flaw is disclosed when the interest in patching it exceeds other governmental interests in exploiting it. Privacy advocates have long suspected that, in practice, the deck is stacked against disclosure.