Trump administration picks new leader for Vulnerabilities Equities Process board

Grant Schneider has been named chair of the Vulnerability Equities Process board.
Grant Schneider
Grant Schneider addresses the 2017 FedScoop Security Through Innovation Summit. (FedScoop)

The White House has selected a new leader to head a secretive government group that helps decide which software vulnerabilities should be kept for intelligence gathering purposes or widely released to the public.

Grant Schneider, the National Security Council’s senior director for cybersecurity policy, has been named chairman of the Vulnerability Equities Process (VEP) board, an NSC spokesperson told CyberScoop. Schneider is also currently serving as the acting federal chief information security officer.

His appointment comes as recent White House Cybersecurity Coordinator Rob Joyce left 1600 Pennsylvania Avenue in May. He is now serving as a senior adviser at the National Security Agency.

Joyce was instrumental in a public charter released last year that brought transparency to the VEP, by which the U.S. government determines to either withhold or disclose information to tech companies about newly discovered flaws in their software. The charter originally named Joyce as the head of the multi-agency Equities Review Board (ERB), which weighs in on such decisions. But with Joyce’s departure, the administration needed to select a new leader from within the NSC.


A longtime civil servant, Schneider is widely respected in the federal IT community. Before joining the White House, he served in various information security roles at the Office of Personnel Management, Office of Management and Budget and Defense Intelligence Agency.

Over the last year, Schneider has also played a significant role in executing Trump’s cybersecurity executive order which calls on federal agencies to improve their digital defenses.

Aspects of the VEP framework, a previously classified document, first became public in 2016 when a Freedom of Information Act request by the Electronic Frontier Foundation unearthed a redacted version.

The ERB includes representation from multiple relevant agencies, including the CIA, FBI, Treasury Department, State Department, Justice Department and Homeland Security Department, among others. Typically, when an agency secretly discovers a software flaw and wants to keep it for espionage purposes, they’re supposed to bring it to the ERB for consideration. While these undisclosed vulnerabilities can provide the U.S. government with special access to specific targets, they also leave companies susceptible to cyberattacks.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts