The Vulnerabilities Equities Process (VEP) is an interagency mechanism used by the U.S. government to weigh whether a previously unknown software or hardware vulnerability—often called a zero-day—should be disclosed to the affected vendor so it can be patched, or withheld so that intelligence, law enforcement, and military agencies can exploit it.
The process traces its origins to recommendations made during the George W. Bush administration and was formalized under the Obama administration. After public pressure following the 2013 Snowden disclosures and the 2017 WannaCry and NotPetya outbreaks—both of which leveraged the leaked NSA exploit EternalBlue—the Trump White House released an unclassified VEP Charter in November 2017, describing the governance structure for the first time.
Under the 2017 charter, an Equities Review Board (ERB) chaired by the National Security Council convenes representatives from agencies including the NSA, CIA, FBI, DHS/CISA, Departments of State, Treasury, Commerce, Energy, Defense, and Justice. The NSA serves as the executive secretariat. The ERB weighs factors such as:
- the prevalence of the vulnerable product,
- the severity of potential harm if exploited by adversaries,
- the likelihood others will independently discover it,
- the intelligence or operational value of retaining it,
- and the availability of mitigations.
Decisions can be to disclose immediately, disclose after a delay, or retain. Retained vulnerabilities are reviewed annually.
Critics—including civil liberties groups and many in the cybersecurity industry—argue the VEP lacks statutory grounding, transparency about retention rates, and binding criteria. Proposed legislation such as the PATCH Act, introduced in 2017 by Senators Schatz, Johnson, and Gardner and Representatives Lieu and Farenthold, sought to codify the process, but did not pass. Other governments, including the United Kingdom (GCHQ's Equities Process) and Australia, have published broadly similar frameworks, though disclosure rates and procedures vary and remain largely classified.
Example
In November 2017, the Trump administration published the VEP Charter, naming the NSA as executive secretariat of the Equities Review Board following criticism over the EternalBlue exploit's role in the WannaCry attack earlier that year.
Frequently asked questions
The 2017 charter applies to vulnerabilities the U.S. government acquires or discovers, including those obtained from contractors or commercial vendors, though specific contractual carve-outs may exist and are not fully public.
Keep learning