Lindsey Polley on the Vulnerabilities Equities Process
The Lawfare Podcast
The Lawfare Institute
4.7 • 6.2K Ratings
🗓️ 6 June 2022
⏱️ 43 minutes
🧾️ Download transcript
Summary
The business of offensive cyber operations and intelligence gathering increasingly requires the military and intelligence community to exploit networks, hardware, and software owned or produced by American companies and used by American citizens. Sometimes this exploitation occurs with the use of zero-day vulnerabilities. In order to determine when zero-day vulnerabilities should be exploited versus disclosed to the relevant vendor so that the vulnerability can be patched, the United States government engages in an interagency process known as the Vulnerabilities Equities Process or VEP.
Stephanie Pell sat down with Dr. Lindsey Polley, director of defense and national security at Starburst Aerospace, to talk about her recently defended dissertation, “To Disclose or Not to Disclose, That Is the Question: A Methods-Based Approach for Examining & Improving the US Government's Vulnerabilities Equities Process.” They discussed the purpose of the VEP, how it is structured to operate, and how its current state and structure impedes its ability to promote longer-term social good through its vulnerability adjudications. They also talked about some of Lindsey's recommendations to improve the VEP.
Support this show http://supporter.acast.com/lawfare.
Hosted on Acast. See acast.com/privacy for more information.
Transcript
Click on a timestamp to play from that location
| 0:00.0 | The following podcast contains advertising to access an ad-free version of the LawFair |
| 0:07.2 | podcast become a material supporter of LawFair at patreon.com slash LawFair. |
| 0:14.7 | That's patreon.com slash LawFair. |
| 0:18.2 | Also, check out LawFair's other podcast offerings, rational security, chatter, LawFair |
| 0:25.6 | no bull and the aftermath. |
| 0:55.6 | Go to www.missyongbloodlive.com |
| 1:01.6 | It's meant to highlight that the individuals making these decisions, being the ERB, the |
| 1:14.1 | Equities Review Board, are not mandated or encouraged through the current charter to consider |
| 1:21.6 | a key perspective or pieces of information that I believe should be considered in order |
| 1:27.6 | to make an informed vulnerability adjudication that truly prioritizes the public's interest. |
| 1:35.2 | I'm Stephanie Pell and this is the LawFair podcast June 6th, 2022. |
| 1:40.8 | The business of offensive cyber operations and intelligence gathering increasingly requires |
| 1:46.0 | the military and intelligence community to exploit networks, hardware and software owned |
| 1:52.0 | or produced by American companies and used by American citizens. |
| 1:56.8 | Sometimes this exploitation occurs with the use of zero-day vulnerabilities. |
| 2:01.5 | In order to determine when zero-day vulnerabilities should be exploited, versus disclosed to the |
| 2:06.7 | relevant vendor so that the vulnerability can be patched, the United States government |
| 2:11.7 | engages in an interagency process known as the Vulnerability's Equities Process or VEP. |
| 2:18.7 | I sat down with Dr. Lindsay Polly, Director of Defense and National Security at Starburst |
| 2:24.4 | Aerospace to talk about her recently defended dissertation to disclose or not to disclose |
| 2:31.4 | a methods-based approach for examining and improving the U.S. government's Vulnerability's |
| 2:36.8 | Equities Process. We discussed the purpose of the VEP, how it is structured to operate, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from The Lawfare Institute, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of The Lawfare Institute and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.