Equities process
Summary
The National Cyber Security Centre (NCSC), as part of the UK intelligence community, has published the UK’s ‘Equities Process’ — the formal approach for deciding what to do when vulnerabilities are discovered in technology. The default is to disclose vulnerabilities to vendors so they can be fixed, but in some cases the UK will retain knowledge of a vulnerability for intelligence purposes when there is a compelling reason.
The process emphasises a strong presumption in favour of disclosure, uses senior technical input from NCSC staff, includes escalation routes to the NCSC CEO, and is subject to independent oversight by the Investigatory Powers Commissioner’s Office (IPCO). The aim is to balance national intelligence needs with the cyber security of UK users.
Key Points
- The default UK position is to disclose vulnerabilities to vendors so they can be patched.
- Retention of a vulnerability is only considered when there is a compelling intelligence case or disclosure would increase harm to users.
- NCSC technical experts chair the Equity Technical Panel and the Equity Board and must be convinced to retain a vulnerability.
- Serious or contested cases can be escalated to the NCSC CEO, with technical advice provided at senior levels.
- IPCO provides independent oversight of the process to ensure it is applied properly.
- The published process is intended to increase transparency and reassure the public about how the UK handles discovered vulnerabilities.
Content summary
The blog explains that the UK intelligence community conducts vulnerability research and must decide whether to disclose findings or keep them for intelligence use. ‘Equities’ here means weighing risks and benefits fairly between intelligence requirements and overall cyber security. NCSC states a clear preference for disclosure and outlines the governance: technical panels, board-level sign-off, CEO escalation and IPCO oversight. The post argues that a blanket policy of always disclosing is naïve because other parts of the intelligence community would still conduct research and the UK would lose influence over handling those discoveries.
The NCSC says it uses vulnerability findings to engage with vendors and sometimes to prompt broader strategic conversations about improving product security, not just patching individual issues. The published process aims to provide reassurance that decisions are made by experts with accountability and independent scrutiny.
Context and relevance
This matters to security teams, vendors, researchers and policy-makers because it clarifies when the UK might keep a vulnerability secret and how that decision is reached. It sits at the intersection of vulnerability disclosure policy, national security, and responsible vulnerability research — a topic that has grown in importance as software underpins more critical services.
The publication feeds into ongoing debates on coordinated vulnerability disclosure, bug-bounty programmes, and how governments should balance intelligence collection with public safety. Organisations should be aware that the UK’s approach formally prioritises disclosure but retains narrowly defined exceptions backed by oversight.
Why should I read this?
Quick take: if you work in cyber, build software, or run IT risk — this is worth a skim. It tells you when the UK will tell a vendor about a bug and when it might keep quiet, who signs off on those decisions, and that there’s independent oversight. Short version: we’ve done the reading for you — this explains the rules of the road around vulnerability handling in the UK.
