Abstract

Zero-day vulnerabilities in critical software systems are of the highest priority for government agencies, black market hackers, and private software vendors. Each of these parties has different priorities and uses for zero-day vulnerabilities, but because of the global economy’s reliance on technology and software, they represent a significant threat to much of the critical infrastructure of the United States. The United States Intelligence Community is among one of the most sophisticated players in the zero-day market, and their decision making with respect to these unknown vulnerabilities has widespread impacts. This note examines the current state of the Vulnerabilities Equities Process, the executive branch policy designed to weigh various equities when determining the fate of a zero-day vulnerability discovered by the Intelligence Community; to use the zero-day to collect intelligence or to disclose the vulnerability and see that it is patched. I argue that the current Vulnerabilities Equities Process does not produce the most optimal outcomes, and that the decision making process must be ‘recalibrated’ to properly weigh all relevant equities and to ensure that zero-day vulnerabilities are not being used irresponsibly.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.