GCHQ, and the National Cyber Security Centre, have a proud history of discovering and disclosing security weaknesses in all manner of technologies. This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad. However, we do not disclose every vulnerability we find. In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability.
The decision whether to disclose or retain a vulnerability is considered through the Equities Process - the means by which the UK intelligence community decides how to handle the vulnerabilities we discover.
For the first time, GCHQ and NCSC are publishing the UK’s Equities Process. The relevant documents can be found on the GCHQ website: Equities Process and Dealing with vulnerabilities. Dr Ian Levy, NCSC Technical Director, has also written a blog, providing his insight into the process.