A new version of the Vulnerabilities Equities Process (VEP) is out.
On Wednesday the White House released guidelines on how the US Government will henceforth manage the Vulnerability Equities Process (VEP), the system that governs when software vulnerabilities discovered by the Government (mostly Intelligence agencies) will be disclosed and when they'll be held for use in intelligence collection or cyber operations (White House Fact Sheet). White House Cybersecurity Coordinator Rob Joyce explained the move in a blog post as "the right thing to do" (White House). The new process is designed to achieve: (1) "Improved transparency is critical." (2) "The interests of all stakeholders must be fairly represented." (3) "Accountability of the process and those who operate it is important to establish confidence in those served by it." (4) "Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate."
Reactions generally regarded welcomed the announcement as a step toward transparency (ZDNet). The Mozilla Foundation likes it, seeing it as consistent with the PATCH Act (Open Policy and Advocacy). The Information Technology and Innovation Foundation (ITIF) also approves (Public). The Council on Foreign Relations give the VEP a sober "Pass" (CFR).
A Recorded Future study of China's vulnerability disclosure practices presents an instructive contrast: security agencies there call the shots.