northeastern university seal

This document analyzes law enforcement procedures and protocols when using known, undisclosed vulnerabilities in software for purposes including gathering evidence. A significant portion reviews the history of the Vulnerabilities Equities Process (VEP) that outlines a decision-making process when choosing to disclose information about discovered vulnerabilities. This document also identifies issues that lack analysis, such as the financial cost of vulnerability exploits; it also analyzes how disclosures interact with other policies such as bug bounty programs.

View Source