Intelligence notes

Dashboard

Vulnerabilities Equities Process

3 min read

Vulnerabilities Equities Process

BLUF

The Vulnerabilities Equities Process (VEP) is the United States government’s interagency framework for deciding whether software and hardware vulnerabilities discovered or acquired by government agencies should be disclosed to vendors (enabling patches) or retained for offensive intelligence/cyber operations. Codified in 2017 following a Presidential Policy Directive and formalized by statute in the Cybersecurity Act of 2015 (Section 104), it is the primary mechanism through which the tension between offensive cyber capability and defensive cybersecurity improvement is formally managed in the US government. The VEP is directly relevant to the Claude Mythos NSA deployment case: if NSA’s Mythos-assisted testing of Microsoft products discovers vulnerabilities, it is unclear whether those findings are subject to VEP disclosure requirements.

Mechanics

  1. Discovery/acquisition: An agency (NSA, CIA, DoD, FBI) discovers or acquires a previously unknown vulnerability
  2. Equities review: The vulnerability is submitted to the Equities Review Board (ERB), chaired by the NSA, with participation from DoD, IC, FBI, DHS/CISA, and others
  3. Disclosure decision: The ERB weighs offensive value (retention) against defensive value (disclosure/patch); factors include: criticality of the software, likelihood of independent discovery by adversaries, US government’s ability to protect the exploit, strategic intelligence value
  4. Outcome: Either disclose to vendor (coordinated disclosure; vendor patches) or retain as an intelligence tool (kept secret; deployed operationally)

The Mythos-VEP Intersection

When NSA uses Claude Mythos to discover vulnerabilities in Microsoft products, a legal and procedural gap emerges:

  • Traditional VEP scope: Designed for vulnerabilities discovered via human analysis, SIGINT collection, or offensive cyber research
  • AI-assisted discovery: Whether vulnerabilities discovered by NSA with commercial LLM assistance are subject to VEP disclosure obligations has not been publicly addressed
  • Outsourcing concern: If NSA’s Mythos testing discovers vulnerabilities but categorizes them differently than standard VEP-governed finds, the oversight mechanism may be bypassed
  • Bloomberg (2026-04-30): Reporting confirmed NSA was testing Mythos against Microsoft products but “officials did not know what, if any, security bugs the intelligence agency’s testing had turned up” — suggesting no disclosed findings, either via VEP or other channels, as of the reporting date

Key Connections

  • Claude Mythos — primary case where VEP applicability is in question
  • Stuxnet — Stuxnet employed multiple zero-days that, had VEP existed in 2007–2010, would have required equities review
  • National Security Agency — chairs the Equities Review Board; primary VEP participant
  • Microsoft — vendor whose products are subject to NSA Mythos testing; would be the disclosure recipient if VEP required it

Sources

  • White House VEP Charter (November 2017) — [High confidence — primary]
  • Cybersecurity Act of 2015, Section 104 — [High confidence — primary]
  • EFF: VEP analysis and advocacy — [Medium confidence]
  • Lawfare: “The Vulnerabilities Equities Process After Vault 7” — [Medium-high confidence]

Graph View

Backlinks