Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter

Andi Wilson Thompson wrote for Lawfare about how the Vulnerabilities Equities Process (VEP), publicly released three years ago, has failed to live up to its promises of greater transparency around how the government decides whether to disclose the software vulnerabilities in its possession.

Established by the Obama administration, the VEP outlines the procedure through which the government weighs various considerations in determining when to disclose software vulnerabilities and when to exploit them for law enforcement or foreign intelligence purposes. Disclosure enables the involved company or entity to patch for that vulnerability and protect users’ cybersecurity. Until the charter was released, all the public knew about the VEP came from a blog post written in 2014 by Michael Daniel, then-White House cybersecurity coordinator, and from documents obtained through a Freedom of Information Act request by the Electronic Frontier Foundation.

Why is the VEP so important? Much of cybersecurity can be reduced to a constant race between the security experts trying to discover and patch vulnerabilities, and the attackers seeking to uncover and exploit those vulnerabilities. These exploits in the system can manifest as something minor like a product’s feature not working or, more concerningly, could enable a criminal entity to steal a user’s private information. On a broader scale, a vulnerability in commonly used software can be leveraged to wreak havoc on entire systems, like the WannaCry ransomware attacks that used a Windows vulnerability to, among other things, shut down Britain’s National Health Service networks. This risk is compounded further by the number of people who daily use common software programs and popular mobile hardware, or visit major websites.