Since its inception, scholars, journalists, and former government officials have warned of the VEP’s limitations, loopholes, and the need for oversight.
In May of 2017, the WannaCry attack, later attributed to North Korea and Russia respectively, resulted in the loss of billions of dollars for governments and private companies across the globe. A month later, the NotPetya attack, later attributed to Russia, wreaked additional and more devastating havoc, again on a global scale. Both attacks exploited a vulnerability found in the Microsoft Windows operating system. The United States government had discovered the same vulnerability many years earlier. Rather than notifying Microsoft of the vulnerability so that it could be patched, the United States government decided to keep the vulnerability secret so that it could be utilized for national security and intelligence purposes. In assessing whether to disclose or retain the vulnerability that led to the WannaCry and NotPetya attacks, the United States government followed an internal executive branch policy called the Vulnerabilities Equities Policy and Process, more commonly known as the VEP.