WHITE HOUSE RELEASE OF VULNERABILITIES EQUITIES

               PROCESS VALIDATES INDUSTRY CONCERNS

               by Willis McDonald, Threat Research Manager and Senior Threat Research, Core
               Security


               When  the  U.S.  Government  discovers  an  unpatched  vulnerability,  it  has  a  choice:
               disclose  the  vulnerability  to  the  vendor  so  that  it  can  be  patched,  or  exploit  the
               vulnerability  for  its  own  purposes.  It’s  not  an  easy  call.  Disclosure  may  eliminate  an
               opportunity to gather valuable intelligence, while keeping an exploit secret can put both
               the public and private sectors at risk, as demonstrated by the WannaCry ransomware
               outbreak.

               To  assist  the  government  in  its  efforts,  the  Obama  Administration  established  the
               Vulnerabilities Equities Process (VEP), a set of rules used for determining whether the
               U.S. Government should disclose a zero-day security vulnerability. The VEP has long
               been  criticized  for  its  lack  of  transparency  and  oversight.  Last  month,  the  Trump
               administration released the charter to the public.













































                   67    Cyber Defense eMagazine – December 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.