A Quick Note on the Vulnerabilities Equities Process

Posted on Feb 28, 2018

In late 2017, the government announced the Vulnerabilities Equities Policy and Process by which they decide to disclose software flaws with the potential of turning into cyberweapons, would be made public. The process had been described as was once “opaque, fueling suspicion that it cloaked a stockpile of software flaws that the National Security Agency was hoarding to go after foreign targets but that put Americans’ cyber­security at risk.”  While the rules by which the government comes to a decision on disclosing the information had not changed, the process is now less opaque to those outside of the government.

The process details considerations of threat, vulnerability, impact, and mitigation. Additionally, the public is able to see that part of the process includes a monthly review of newly discovered vulnerabilities by the NSA, CIA, FBI, Treasury, Commerce, and State Departments, as well as the Office of Management and Budget.

A few points of discussion in the now public process have been:

  • agency involvement in the decision making process,
  • the length of time the process o takes, and
  • the government’s commitment to disclose vulnerabilities.

As the government practices transparency and discloses vulnerabilities it discovers, the cybersecurity risk ecosystem stands to benefit-- as does the public.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!