To Disclose, or Not to Disclose, That Is the Question

A Methods-Based Approach for Examining & Improving the US Government's Vulnerabilities Equities Process

by Lindsey Polley

Download eBook for Free

FormatFile SizeNotes
PDF file 0.8 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

This dissertation is the first publicly available methods-based approach to examining the previously classified Vulnerabilities Equities Process (VEP)—a federal level policy to adjudicate decisions on whether to retain or disclose newly discovered software vulnerabilities. Since its public acknowledgment in 2014, the benefits and shortcomings of the VEP have been sharply debated in the public arena by media, digital advocacy groups, and academia. The lack of publicly available data on the VEP, however, means that the majority of current public discourse is largely rooted in uninformed opinion. Two key aspects of this debate have focused on the design of the VEP charter itself, and the representation of equities considered during the vulnerability adjudication process. This dissertation analyzes the current VEP through a mixed methods approach and finds that—in both design and practice—it is deficient in its consideration of public-oriented equities and ethics that are important to software vulnerability-oriented public policy, directly impeding the current VEP's ability to promote social good through its adjudication process. I make eleven policy recommendations that address these deficiencies to support the VEP Director and Equities Review Board in making vulnerability adjudications that more robustly consider the equities of underrepresented stakeholders. This dissertation makes several original contributions to knowledge, including the development of a new virtue-based ethics framework for software vulnerability-oriented public policy. The development of this new framework not only fills a gap in the current literature, but also lays the foundation for further investigations into cyber policy and ethics—an under-researched yet critical nexus of modern life in a highly technology-dependent world.

Table of Contents

  • Chapter One

    The Vulnerabilities Equities Process: Its Evolution, Public Critiques, & How Other Countries Are Approaching the Topic

  • Chapter Two

    Qualitative Research & Analysis of the VEP

  • Chapter Three

    Ethics Considerations

  • Chapter Four

    Policy Recommendations & Final Discussion

  • Appendix A

    VEP Interview Protocol

  • Appendix B

    VEP Equity Review Board Members' IC or LE Association

Research conducted by

This document was submitted as a dissertation in February 2022 in partial fulfillment of the requirements of the doctoral degree in public policy analysis at the Pardee RAND Graduate School. The faculty committee that supervised and approved the dissertation consisted of John Bordeaux (Chair), Sasha Romanosky, and Quentin Hodgson.

This report is part of the RAND Corporation Dissertation series. Pardee RAND dissertations are produced by graduate fellows of the Pardee RAND Graduate School, the world's leading producer of Ph.D.'s in policy analysis. The dissertations are supervised, reviewed, and approved by a Pardee RAND faculty committee overseeing each dissertation.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.