UK’s NCSC Explains How They Handle Discovered Vulnerabilities

When the United Kingdom’s National Cyber Security Center (NCSC) performs operational tasks, they may find vulnerabilities in software, hardware, websites, or critical infrastructure. When they find these vulnerabilities, they go through a review process called the “Equities Process” that determines if they are going to disclose the vulnerability so that it is fixed or if they will keep it to themselves for use during intelligence gathering.

The NCSC explained this week that when they find a vulnerability, their starting position is to responsibly disclose it.  They then review the vulnerabilities through a series of groups to weigh whether the vulnerability has more value being kept private so that they can be used to protect the United Kingdom and its allies or if it is more important to disclose the vulnerability so that it is fixed.

“The Equities Process provides a mechanism through which decisions about disclosure are taken. Expert analysis, based on objective criteria, is undertaken to decide whether such vulnerabilities should be released to allow them to be mitigated or retained so that they can be used for intelligence purposes in the interests of the UK,” explained the NCSC.

Read more…
Source: Bleeping Computer