Ari Schwartz published "The Future of Vulnerabilities Equities Processes Around the World" in LawFare. Here is an excerpt:
As governments increasingly find themselves needing information from networked sources for law enforcement, intelligence, and military purposes, one of the most difficult dilemmas they face concerns the use of so-called zero day vulnerabilities—previously unknown flaws or bugs that can sometimes be exploited to gain access to servers that house information or control networks and infrastructure. Governments often have researchers looking for these flaws, and sometimes, governments purchase them on the open market. But when governments find such vulnerabilities, should they quickly disclose these flaws and thus allow them to be fixed, or should they keep the information a secret for other national security purposes?