GCHQ: this is how we decide to report a security bug or keep it a secret

Credit: ID 73949819 © Valeriy Kachaev |

British spy agency GCHQ and its info-sec unit, NCSC, today outlined how they decide whether or not to tell vendors when they find security bugs during bug hunting escapades

GCHQ and NCSC today published an outline of the ‘equities process’ they use to decide whether or not to tell, say Microsoft, about a critical flaw they found in one of its products. 

Last year NCSC disclosed three flaws to Microsoft, including a pair of critical bugs in Windows Defender, and a remote code execution flaw in the scripting engine used by Microsoft Edge and Internet Explorer 11.

The three bugs reported to Microsoft would have undergone the equities process detailed today, a three tier system of decision-making that the UK government uses to weigh up whether or not to report a security vulnerability to a vendor.

But why reveal the process used to disclose bugs or not today? GCHQ says that the UK Investigatory Powers Commissioner has agreed to “provide oversight into how the Equities Process operates in practice with the aim of providing public reassurance.”