Zero-Day Diplomacy: How Vulnerability Disclosure Shapes Alliances
10/10/25
By The Security Nexus
From Exploits to Entanglements: Cybersecurity as Alliance Policy
In traditional diplomacy, alliances are secured through treaties, trade, and troop movements. In the digital era, they’re increasingly negotiated through code. Whether to disclose or weaponize a vulnerability is no longer a purely technical question—it’s a political decision with implications for both deterrence and trust.
At the heart of this dynamic lies the Vulnerabilities Equities Process (VEP)—the U.S. government’s mechanism for deciding whether to keep a newly discovered software vulnerability secret (for offensive use) or to disclose it to vendors for patching. Originally secretive, the VEP was formalized in 2017 and later revised to include increased interagency representation, but transparency remains partial and selective.
The transcript reveals something often overlooked: the VEP is as much about alliance management as it is about cyber risk. Decisions made through the VEP ripple outward, affecting allies who may share software ecosystems, infrastructure dependencies, or intelligence channels. When one state hoards a zero-day vulnerability, its partners bear the downstream risks—especially when the vulnerability is exploited in the wild by a third party or falls into the hands of criminals.
⸻
Patch or Exploit? The Alliance Dilemma
This “patch vs. exploit” decision encapsulates a deeper friction: how do states weigh national advantage against collective security?
U.S. decisions not to disclose have sometimes led to significant blowback. The WannaCry and NotPetya attacks, both built on leaked NSA tools, caused billions in damages to allies and adversaries alike. In these cases, non-disclosure bred distrust. The transcript discusses how this eroded technical cooperation with partners like the UK and Germany, who questioned whether the U.S. would share critical information during cyber crises.
This isn’t just a bilateral issue. In coalitions such as the Five Eyes, the NATO CCDCOE, or ad hoc cyber defense groups, trust is modular and situational. Partners expect some level of intelligence asymmetry—but when vulnerability hoarding endangers shared infrastructure or critical sectors (e.g., finance, energy, transportation), alliance cohesion frays.
⸻
Beyond the VEP: Exploit Prediction and International Risk Management
Academic work supports this tension. Romanosky et al. (2020) demonstrate that only a small fraction of known vulnerabilities are ever exploited in the wild; however, those that are can cause disproportionate harm. Using machine learning on real-world exploit data, they argue that focusing remediation efforts on likely-to-be-exploited CVEs (rather than merely high CVSS scores) offers far better outcomes for defenders .
From a diplomatic standpoint, this raises a new question: should states coordinate predictive models of exploitability across borders? Currently, this is rare. Each government or CERT builds its own threat models, often blind to the others’ logic. This fragmentation invites redundancy at best and catastrophic miscalculation at worst.
⸻
Cyber Norms or Cyber Realpolitik?
Norm-building efforts—such as Microsoft’s proposed “Digital Geneva Convention” or the Paris Call for Trust and Security in Cyberspace—struggle under the weight of strategic self-interest. While norms of responsible disclosure exist in multilateral forums, they lack effective enforcement mechanisms and are often undermined by national cyber operations.
The same vulnerability that an ally wants patched might be central to another state’s intelligence-gathering operation. This is not hypothetical. In 2013, it was revealed that the U.S. exploited Cisco vulnerabilities in foreign espionage operations while simultaneously allowing the company to ship products globally, unpatched and exposed.
⸻
The Future: Cooperative VEPs?
Looking forward, coalitions may consider joint VEPs—shared decision-making frameworks in which multiple nations participate in weighing the benefits of disclosure versus retention. This would not eliminate secrecy but could at least provide structured deliberation among trusted partners.
Other proposals include:
• Disclosing differentially: patching for coalition partners, withholding for others.
• “Exploit escrow” models: vulnerabilities are retained for a limited period before mandatory disclosure.
• Shared exploit prediction pools: integrating threat intelligence from multiple national CERTs into collective models, à la NATO CCDCOE.
These won’t solve the underlying strategic dilemmas—but they may reduce the diplomatic fallout of digital surprise.
⸻
Conclusion: Every Patch is Political
In the end, zero-days are diplomatic acts—the decision to withhold or disclose has far-reaching implications that ripple across alliance structures, trust arrangements, and national risk postures. As coalitions navigate an increasingly contested cyber domain, their greatest challenge may not be technical capability, but rather the politics of vulnerability.
⸻
Sources
• Romanosky, Sasha et al. 2020. Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity, 6(1): tyaa015. https://doi.org/10.1093/cybsec/tyaa015.
• Gaikwad, Nikhar, Federica Genovese, and Dustin Tingley. 2022. Creating Climate Coalitions: Mass Preferences for Compensating Vulnerability in the World’s Two Largest Democracies. American Political Science Review 116(4): 1165–1183. https://doi.org/10.1017/S0003055422000223.
• U.S. Vulnerabilities Equities Process Charter (2017).
• Transcript from podcast interview, Security Nexus, 2025.
• Carleton, D. 2022. The Many Faces of Vulnerability.
• Leeds and Davis. 1997. Domestic Political Vulnerability and International Disputes.
