To Disclose or Not To Disclose: Federal Government & Cybersecurity Vulnerabilities

Client Alert | 1 min read | 11.16.17

On November 15, 2017, the White House Cybersecurity Coordinator, Rob Joyce, announced a formative cybersecurity policy entitled “Vulnerabilities Equities Policy and Process for the United States Government.”

According to the policy, the primary focus is to “prioritize the public's interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities discovered by the United States Government (USG).” The Vulnerabilities Equities Process (VEP) balances dissemination of vulnerability information (e.g., zero day exploits) to the vendor/supplier in the expectation that it will be patched with temporarily restricting the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence. In striking this balance, the policy aims to increase transparency regarding the process for the public and businesses, and also signals that the US will join with several countries that have announced formal policies in this area regarding management of vulnerabilities. Interestingly, this policy expands the management of vulnerabilities to include a broad array of national security and intelligence agencies.

This policy supersedes the Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process, dated February 16, 2010.

This policy applies to all USG components and personnel and contractors and includes Government off-the-shelf (GOTS), Commercial off-the-shelf (COTS), or other commercial information systems (to include open-source software), Industrial Control Systems (ICS) or products, and associated systems such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).

Businesses and the public will likely be interested in the annual public reporting that is promised, which may include statistics about how many vulnerabilities go through the process and even potentially how long they are withheld from disclosure.

Contacts

Matthew B. Welling
Partner
- Washington, D.C.
  - D | +1.202.624.2588
bXdlbGxpbmdAY3Jvd2VsbC5jb20=
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ZXdvbGZmQGNyb3dlbGwuY29t

Insights

Client Alert | 8 min read | 06.30.25

AI Companies Prevail in Path-Breaking Decisions on Fair Use

Last week, artificial intelligence companies won two significant copyright infringement lawsuits brought by copyright holders, marking an important milestone in the development of the law around AI. These decisions – Bartz v. Anthropic and Kadrey v. Meta (decided on June 23 and 25, 2025, respectively), along with a February 2025 decision in Thomson Reuters v. ROSS Intelligence – suggest that AI companies have plausible defenses to the intellectual property claims that have dogged them since generative AI technologies became widely available several years ago. Whether AI companies can, in all cases, successfully assert that their use of copyrighted content is “fair” will depend on their circumstances and further development of the law by the courts and Congress....

Client Alert | 3 min read | 06.30.25
The New EU “Pharma Package”: Preparing for the Trilogues
Client Alert | 3 min read | 06.26.25
FDA Targets Gene Editing Clinical Trials in China and other “Hostile Countries”
Client Alert | 3 min read | 06.26.25
Nexus, Schmexus: Patent Licenses Do Not Need a Nexus to Specific Patent Claims to Be a Secondary Consideration of Nonobviousness

View All Insights