Vulnerabilities Equities Reform

Latest in Vulnerabilities Equities Reform


The Future of Vulnerabilities Equities Processes Around the World

As governments increasingly find themselves needing information from networked sources for law enforcement, intelligence, and military purposes, one of the most difficult dilemmas they face concerns the use of so-called zero day vulnerabilities—previously unknown flaws or bugs that can sometimes be exploited to gain access to servers that house information or control networks and infrastructure. Governments often have researchers looking for these flaws, and sometimes, governments purchase them on the open market.


Adding Data to the VEP Debate: RAND's New Report

When WikiLeaks shed light on the CIA’s stockpile of software vulnerabilities last week, it revived—but hardly clarified—the debate on whether the government hoards too many bugs. In principle, the interagency Vulnerability Equities Process (VEP) ensures that a flaw is disclosed when the interest in patching it exceeds other governmental interests in exploiting it. Privacy advocates have long suspected that, in practice, the deck is stacked against disclosure.

The Lawfare Podcast

The Lawfare Podcast: Dave Aitel and Matt Tait on How "Everything You Know About the Vulnerability Equities Process Is Wrong”

Dave Aitel and Matt Tait come on the podcast to chat with Benjamin Wittes about their recent Lawfare essay critiquing the current status of the Vulnerability Equities Process. Matt and Dave argue that the process by which the US government decides whether or not to disclose software vulnerabilities is fundamentally broken, and that now is the time to discuss how to fix it.


Everything You Know About the Vulnerability Equities Process Is Wrong

The vulnerability equities process (VEP) is broken. While it is designed to ensure the satisfaction of many equities, in reality it satisfies none—or at least, none visible to those beyond the participants of the insular process. Instead of meaningfully shaping best outcomes, the VEP provides thin public relations cover when the US government is questioned on its strategy around vulnerabilities.


Vulnerabilities Equities Reform That Makes Everyone (And No One) Happy

National Security Council veterans Ari Schwartz and Rob Knake recently released a paper entitled Government’s Role in Vulnerability Disclosure. The paper, published by Harvard’s Belfer Center, catalogues the existing government mechanisms for determining whether to disclose a newly-discovered vulnerability in hardware and software products and make a series of recommendations for reform. The recommendations include both useful steps, and a few proposals I argue are ultimately counterproductive.

Subscribe to Lawfare