To Disclose or Not To Disclose: Federal Government & Cybersecurity Vulnerabilities
Client Alert | 1 min read | 11.16.17
On November 15, 2017, the White House Cybersecurity Coordinator, Rob Joyce, announced a formative cybersecurity policy entitled “Vulnerabilities Equities Policy and Process for the United States Government.”
According to the policy, the primary focus is to “prioritize the public's interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities discovered by the United States Government (USG).” The Vulnerabilities Equities Process (VEP) balances dissemination of vulnerability information (e.g., zero day exploits) to the vendor/supplier in the expectation that it will be patched with temporarily restricting the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence. In striking this balance, the policy aims to increase transparency regarding the process for the public and businesses, and also signals that the US will join with several countries that have announced formal policies in this area regarding management of vulnerabilities. Interestingly, this policy expands the management of vulnerabilities to include a broad array of national security and intelligence agencies.
This policy supersedes the Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process, dated February 16, 2010.
This policy applies to all USG components and personnel and contractors and includes Government off-the-shelf (GOTS), Commercial off-the-shelf (COTS), or other commercial information systems (to include open-source software), Industrial Control Systems (ICS) or products, and associated systems such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).
Businesses and the public will likely be interested in the annual public reporting that is promised, which may include statistics about how many vulnerabilities go through the process and even potentially how long they are withheld from disclosure.
Contacts
Insights
Client Alert | 3 min read | 10.15.25
On August 15, 2025, the Treasury Department and IRS released updated guidance concerning Beginning of Construction requirements to qualify for clean energy tax credits. This new guidance is critical for developers to consider as they rush to qualify for the tax credits before they expire entirely. The much-anticipated guidance followed the July 7, 2025 Executive Order 14315, Ending Market Distorting Subsidies for Unreliable, Foreign-Controlled Energy Sources (“July 7, 2025 Executive Order”), which signaled that the Trump Administration was planning to strictly enforce the termination of production and investment tax credits for solar and wind facilities that are set to expire under the One Big Beautiful Bill Act (OBBB Act), covered in more detail here. The new guidance comes at a time when many in the industry are struggling to keep up with the myriad ways that the new administration is working to roll back wind and solar tax credits, leaving developers to piece through the recent guidance to determine how best to structure and invest in clean energy projects given the volatile position of the current administration vis-a-vis wind and solar energy.
Client Alert | 10 min read | 10.15.25
Client Alert | 4 min read | 10.14.25
Client Alert | 35 min read | 10.13.25
Building Blocks of Design Law: CJEU rules on LEGO Group Modular Design Protection
