On December 30, 2019, Ari Schwartz was quoted in the Wall Street Journal on the Vulnerabilities Equities Process (VEP), the federal government’s policies regarding major cybersecurity flaws discovered—often in popular consumer software—by U.S. intelligence agencies.
According to the article, in 2017, the White House released a first-of-its-kind public road map that lays out the administration’s guidelines for when the government would disclose the discovery of flaws to vendors so that they can be patched, and when to keep flaws secret in order to preserve them for use in possible future offensive actions.
The public document that outlined the VEP said that an annual report would be written “at the lowest classification level permissible and include, at a minimum, an executive summary written at an unclassified level” that may be provided to Congress. Two years later, however, no information has been made public.
Former officials and cybersecurity policy experts have said they have been surprised by the White House’s apparent disinterest in sharing more about the process after earlier signaling a commitment to openness.
"When the VEP charter was made public, it seemed we were making progress that would put pressure on other countries to be more transparent,” said Schwartz. “The lack of any actual public data on what vulnerabilities are shared—even in the aggregate—is a major disappointment.”