Technology, R&D management
Vulnerability, vulnerability equities processes
The report shows that a reporting of vulnerabilities used by the state for active measures is likely to have only a minor effect on the increase in overall technical IT security. On the other hand, the value of the work of the security authorities is in many cases considered high, due to the high tactical enablement against potential malicious actors. The demand of some, that state authorities should refrain from pro-actively exploiting vulnerabilities for active measures therefore does not seem to make much sense; the net effect in security would be negative. Nevertheless, processes can be introduced that allow a more precise assessment and an informed, accountable and cautious handling of offensively used vulnerabilities.