September 8, 2015
After more than a year of legal wrangling, the federal government has agreed to hand over its policy on vulnerability use and disclosure. The government had said that the policy was classified and too sensitive to release, but relented late last week and sent the document to the EFF, albeit a heavily redacted version.
Know as the Vulnerabilities Equities Process, the document outlines the criteria that the government uses when deciding whether to keep information about vulnerabilities discovered by the government or its contractors private. The 13-page policy applies to a variety of hardware and software, including government-built systems, commercial systems, SCADA systems, and ICS systems.