Sharon Bradford Franklin and Andi Wilson wrote for Lawfare about the need for a Vulnerabilities Equities Process (VEP) that protects cybersecurity & promotes transparency:
When the government discovers a bug in any computer hardware or software system, should it immediately inform the device or software manufacturer, so the company can create a patch and protect its customers’ cybersecurity? When should the government be permitted to keep the information to itself, and exploit the vulnerability to hack into devices in support of law enforcement and intelligence agency operations? By promptly notifying manufacturers and allowing them to repair cyber vulnerabilities, the government serves its responsibility to protect the nation from cyber attacks, which can harm not only our information systems, but also our financial systems, critical infrastructure, and public safety. Yet, as we have long known, the government also restricts knowledge of some cyber vulnerabilities for exploitation in law enforcement and intelligence operations.