The Trump Administration has released the previously secret rules used by the government to decide on whether to disclose cybersecurity vulnerabilities or keep them secret.

The interagency Vulnerabilities Equities Policy, created by the Obama administration, details the processes involved in classifying and managing discovered vulnerabilities among different government bodies such as the National Security Agency, Central Intelligence Agency and Department of Homeland Security. The document describes the grounds as to why some vulnerabilities should not be disclosed and also when they should.

The policy is said to be designed to balance the needs of law enforcement to hack into devices and the need to warn manufacturers of vulnerabilities that have been discovered so they can patch them before criminals and foreign governments take advantage of them.

“While not infallible, these processes ensure rigorous consideration of all factors vital to our national security,” White House Cybersecurity Coordinator Rob Joyce said in a statement. “The Federal Government also has an important responsibility to closely guard and protect vulnerabilities as carefully as our military services protect the traditional weapons retained to fight our nation’s wars.”

The process involves an agency that discovered discovered a vulnerability submitting it to VEP review board, which includes representatives from key government stakeholders. The board then considers the vulnerability based on four criteria.

The first is how much of a threat the vulnerability is, followed by consideration as to whether the U.S. government itself could use the vulnerability for its own purposes. Perhaps the most interesting revelation, particularly following the ongoing leaks of NSA hacking tools that were used in attacks including WannaCry, is that the third and fourth review stages consider risks the country would face should companies and other countries later discover that the government knew of the specific vulnerability all along — the public relations angle, so to speak.

While reaction to the public release of the previously secret policy was mostly welcomed by the security community, some such as Stephen Cobb at ESET Security noted that serious questions remain, in particular suggesting that if the government doesn’t release some vulnerabilities, regardless of the reasoning, it may put internet security at risk.

Photo: djc/Flickr