Rob Joyce, White House cybersecurity coordinator, has said the federal government should work to ensure the transparency of the Vulnerabilities Equities Process in order for U.S. citizens to have confidence in VEP’s integrity.
Joyce wrote in a blog post posted Wednesday VEP is an interagency process that seeks to determine whether to divulge cyber vulnerability data to vendors to facilitate patches or temporarily restrict that data in support of law enforcement and national security operations.
The newly released VEP Charter covers four groups of equity considerations designed to help decision makers assess the potential advantages and risks to national security of limiting or disclosing vulnerability data.
Those equity considerations include defensive equities; commercial equities; international partnership equities; and intelligence, law enforcement and operational equities.
Joyce noted that the public release of the VEP Charter aims to provide information on participants in the Equities Review Board, vulnerability categories that go through the process and federal agencies and departments that take part in VEP discussions.
The charter would also require the release of an annual report to offer information on VEP metrics and notify the public about the process and related outcomes.