Documentation entered into public record last week acknowledged that in some cases the U.S. government condones the exploitation ofzero-day vulnerabilities in software for intelligence and law enforcementpurposes rather than alerting the software manufacturer or public of thesecurity flaw.
The U.S. government's “VulnerabilitiesEquities Process” (VEP), which delineates the procedure for determining ifa vulnerability should be disclosed or withheld, was disclosed in response to a Freedom ofInformation Act (FOIA) lawsuit filed by watchdog group the Electronic FrontierFoundation (EFF). The U.S. originally submitted a highly redacted version ofthe VEP in September 2015, but a subsequent court challenge by the EFFled to this latest version with fewer blacked-out passages.
The VEP stated that the discovery of vulnerabilities “maypresent competing equities for USG offensive and defensive mission interests,”and that these equities must be weighed before determining whether or not todisseminate the information.
