Recailibrating the Use of Zero-Day Vulnerabilities

Authors

  • Kellen Carleton

DOI:

https://doi.org/10.5195/jlc.2023.270

Abstract

Zero-day vulnerabilities in critical software systems are of the highest priority for government agencies, black market hackers, and private software vendors. Each of these parties has different priorities and uses for zero-day vulnerabilities, but because of the global economy’s reliance on technology and software, they represent a significant threat to much of the critical infrastructure of the United States. The United States Intelligence Community is among one of the most sophisticated players in the zero-day market, and their decision making with respect to these unknown vulnerabilities has widespread impacts. This note examines the current state of the Vulnerabilities Equities Process, the executive branch policy designed to weigh various equities when determining the fate of a zero-day vulnerability discovered by the Intelligence Community; to use the zero-day to collect intelligence or to disclose the vulnerability and see that it is patched. I argue that the current Vulnerabilities Equities Process does not produce the most optimal outcomes, and that the decision making process must be ‘recalibrated’ to properly weigh all relevant equities and to ensure that zero-day vulnerabilities are not being used irresponsibly.

Downloads

Published

2024-05-07

How to Cite

Carleton, K. (2024). Recailibrating the Use of Zero-Day Vulnerabilities. Journal of Law and Commerce, 42(1). https://doi.org/10.5195/jlc.2023.270