The line between reporting zero-day exploits that can be a great risk to the public and creating a large advantage for offensive cyber attacks is extremely thin. As more devices are being connected to the Internet and providing additional opportunities for attacks, there has been no clear response as to how malicious organizations are being stopped by the government.
Following an official press release from White House Cybersecurity Coordinator Rob Joyce, the US has revealed that there may not be "massive stockpiles" of exploits just waiting to be used. Instead, known exploits are submitted to the Vulnerabilities Equities Process (VEP). The VEP determines whether the risk is worth keeping a known vulnerability private or making it public.
The decision to keep security problems confidential can have enormous impact. Leaving holes in applications and networks can lead to the rapid spread of malware or theft of data if another group discovers the flaw. Worse yet for military operations, private security researchers can find flaws and publicly release them before patches are issued. This can leave cyber operations in a tight spot with no way to continue an ongoing mission and no guarantee of remaining undetected.
According to Joyce, guarding private exploits and previously unknown vulnerabilities should be done just as carefully as physical military weapons. Many countries are believed to keep the majority of vulnerabilities private in an effort to expand offensive capabilities at the expense of a weaker defensive position.
Joyce said he knows of no nation that has chosen to disclose every vulnerability it discovers.
The White House has published its VEP Charter online alongside a fact sheet for those looking to learn more.
