When the United Kingdom's National Cyber Security Center (NCSC) performs operational tasks, they may find vulnerabilities in software, hardware, websites, or critical infrastructure. When they find these vulnerabilities, they go through a review process called the "Equities Process" that determines if they are going to disclose the vulnerability so that it is fixed or if they will keep it to themselves for use during intelligence gathering.
The NCSC explained this week that when they find a vulnerability, their starting position is to responsibly disclose it. They then review the vulnerabilities through a series of groups to weigh whether the vulnerability has more value being kept private so that they can be used to protect the United Kingdom and its allies or if it is more important to disclose the vulnerability so that it is fixed.
"The Equities Process provides a mechanism through which decisions about disclosure are taken. Expert analysis, based on objective criteria, is undertaken to decide whether such vulnerabilities should be released to allow them to be mitigated or retained so that they can be used for intelligence purposes in the interests of the UK," explained the NCSC. "The starting position is always that disclosing a vulnerability will be in the national interest."
As part of the Equities Process there are three groups of people involved in this review process as described below.
When a new vulnerability submission is received, the Equities Technical Panel apply various criteria to determine it should be retained or disclosed. These criteria include determining if disclosing the vulnerability would have a negative impact on the UK's security, whether it could be used for intelligence operations, or whether there is too much risk to the UK and its allies by not releasing it.
If a vulnerability is determined to be retained, then it goes through a series of increasingly senior level groups who review the vulnerability. Unless there is a consensus that the vulnerability should be retained, it is responsibly disclosed to the vendor or organization. This review process is illustrated in the flow chart below.
There are some exceptions that may cause a vulnerability to not be reviewed under the Equities Process. This includes whether the vulnerability was disclosed to the UK by an ally who performed a similar review process, when the software is no longer supported and thus there is no way to patch it, or if the vulnerability was purposely designed that way by the developer.
If it is decided to retain the vulnerability, it will go through the same review process at least every 12 months or sooner as required.
This type of review process is not unique to the United Kingdom and other countries such as the U.S.A. have their own "Vulnerabilities Equities Policy and Process".