UNCLASSIFIED
2
It is also important to recognize that the USG has not created these vulnerabilities. Information
systems will continue to have vulnerabilities and efforts to discover and disclose these flaws is an
ongoing need. Contributions by the Intelligence Community (IC) have been significant in securing
modern information technology. If the USG were to adopt a policy of immediate disclosure, there
would still be vulnerabilities present that would be discovered and potentially exploited by other cyber
actors. For years, the USG’s process to robustly consider and disclose vulnerabilities was the only such
process known amongst both our peers and our adversaries.
Vulnerabilities can have significant economic, privacy and national security implications when
exploited. The USG and the private sector are at risk due to our dependency on cyberspace. The USG
is committed to an open, interoperable, secure, and reliable Internet and understands vulnerabilities in
technologies underpinning the Internet threaten both security and liberty. Any system, including those
we rely on for critical infrastructure, can be a target for malicious cyber activity. Interests in protecting
the public from criminal cyber intrusions are often implicated by decisions to restrict or disseminate a
vulnerability, particularly in the absence of meaningful mitigation. Unpatched vulnerabilities leave not
only USG systems, but also the systems of commercial industry and private citizens, vulnerable to
intrusion.
Vulnerabilities are also used in the course of authorized military, intelligence, and law enforcement
activities. At times, intelligence and evidence discovered through judicious exploitation of a
vulnerability are the only means to understand a much bigger threat. Often taking a considered risk to
restrict knowledge of a vulnerability is the only way to discover significant intrusions that are
compromising security and privacy.
For these reasons, vulnerability disclosure raises a multitude of considerations that require careful
deliberation through an interagency process with a diversity of viewpoints. Competing USG missions
require coordination and collaboration to protect information systems and citizens from malicious
cyber activity. Additionally, the USG must be able to conduct law enforcement, military and
intelligence activities to the fullest extent practical and in accordance with the laws that govern these
activities.
Since there can be competing considerations for disclosing or restricting a vulnerability, it is important
that the equity process be led outside any single agency. For this reason, the process is coordinated by
the National Security Council (NSC) staff so that multiple agency viewpoints can be considered,
informed by the full input and consideration of the interagency experts.
3. Scope
This policy supersedes the Commercial and Government Information Technology and Industrial Control
Product or System Vulnerabilities Equities Policy and Process, dated February 16, 2010. Otherwise,
nothing in this policy is meant to supersede existing U.S. laws, regulations, executive orders, and
directives to protect National Security Systems (NSS), Sensitive Compartmented Information, or other