Today, Rob Joyce, White House Cybersecurity Coordinator, released a new charter for the Vulnerabilities Equities Process (VEP). The VEP, established by the Obama administration, weighs various considerations to determine whether or not to disclose software vulnerabilities in the government’s possession. OTI has been a strong supporter of reforming the highly secretive process.
The following statement can be attributed to Andi Wilson, policy analyst at New America’s Open Technology Institute:We appreciate today’s release of documents providing the public with further information about the Vulnerabilities Equities Process. In general, the more transparency, the better. However, in addition to transparency, it is important that we can trust that the VEP is restricted by rules set by Congress. This administration, or the next, could undo the steps that have been described to us today with the stroke of a pen. This announcement should not distract from the necessity to codify the VEP through legislation like the PATCH Act. Codification of the Vulnerabilities Equities Process is crucial to ensure confidence and trust in the process that evaluates the risks posed by dangerous flaws in software and hardware.