The Vulnerabilities Equities Process (VEP) is the interagency mechanism by which the U.S. government weighs competing interests when one of its agencies discovers a previously unknown software or hardware flaw — a so-called zero-day. The core tension is between defensive equities (patching the flaw to protect U.S. and allied networks, critical infrastructure, and consumers) and offensive equities (retaining the vulnerability for intelligence collection, law enforcement access, or military cyber operations).
The process traces its origins to a 2010 interagency policy and was substantially reformed after the 2013 Snowden disclosures and the 2017 Shadow Brokers leaks, which exposed NSA-developed exploits later repurposed in the WannaCry and NotPetya attacks. In November 2017, the White House published the Vulnerabilities Equities Policy and Process for the United States Government, a charter that made the framework more transparent and named the National Security Council as the executive secretariat, with the NSA initially designated as the executive secretariat for the equities review board.
Participating bodies typically include the NSA, CIA, FBI, DHS/CISA, Departments of State, Treasury, Commerce, Energy, Defense, and Justice, plus the Office of the Director of National Intelligence. The board considers factors such as how widely the affected product is used, the severity of potential harm if exploited by adversaries, the likelihood that others will independently discover the flaw, and the operational value of retention. Default disposition under the 2017 charter favors disclosure, with retention requiring justification and periodic reconsideration.
Critics — including the EFF, civil-society researchers, and some members of Congress — argue the VEP lacks statutory grounding, that classified retention decisions evade meaningful oversight, and that hoarded exploits inevitably leak. Proposed reforms include the bipartisan PATCH Act (introduced 2017, not enacted), which would have codified the process in law. Several other states, notably the United Kingdom (via the NCSC's Equities Process), have adopted analogous frameworks.
Example
In 2017, after the Shadow Brokers leaked NSA-developed exploits that fueled the WannaCry ransomware outbreak, the Trump administration published the VEP charter to make the U.S. disclosure-versus-retention process more transparent.
Frequently asked questions
Under the 2017 charter, the National Security Council oversees the process, and an interagency Equities Review Board — historically with the NSA as executive secretariat — adjudicates individual vulnerabilities.
Keep learning