The Carnegie Endowment for International Peace was pleased to host an international conference focused on government vulnerability management on December 5 in Brussels, Belgium.

The event featured top government, private sector, and academic experts to share the best, most actionable ideas on vulnerability equities processes and vulnerability disclosure. It expanded upon the increasing dialogue in Europe on these topics, helping participants to set priorities, make tradeoffs, and establish smart policies.

The event strictly adhered to the Chatham House Rule to enable open dialogue.


8:45 to 9:15 a.m.

Check-In and Breakfast

9:15 to 9:30 a.m.

Welcome and Opening Remarks

Kate Charlet

9:30 to 10:15 a.m.

Keynote: One European Nation’s Thinking on Vulnerability Equities Processes

Ian Levy

10:15 to 11:15 a.m.

Insights for Nations Considering Vulnerability Equities Processes

Recommendations from government, academic, and industry thought leaders for nations considering the development of a vulnerability equities process.

Sven Herpig, Katie Moussouris, Mathias Vermeulen

Moderator: Ari Schwartz

11:30 a.m. to 12:30 p.m.

Fireside Chat: Perspectives From Top Government Leaders

Former national leaders reflect on how governments manage vulnerability equities and vulnerability disclosure, including lessons learned, address increasing concerns over supply chain threats, and make recommendations for future policy.

Michael Daniel, Robert Hannigan

Moderator: Kate Charlet

12:30 to 1:30 p.m.

Working Lunch Informal Discussions

Participants may join informal discussions on topics like supply chain cybersecurity, operational coordination, and encryption.

1:30 to 2:30 p.m.

Building Trust and Operational Engagement Between Government and Industry on Vulnerability Management

What are the corresponding responsibilities of governments and industry to reduce vulnerabilities in software, hardware, and online systems? What are the pain points between government and industry on government vulnerability management, and how can relationships be strengthened? How can we operationalize these relationships and work better together?

Hans De Vries, Ian Levy, Eva Schulz-Kamm

Moderator: Thomas Boué

2:30 to 3:20 p.m.

Beyond Zero-Day Discovery: Managing Vulnerabilities Across the Spectrum

What are the responsibilities of government and industry beyond zero-day discovery and disclosure? How should they think more broadly about supply chain/hardware vulnerabilities, the vulnerability marketplace, the development of safer coding practices, and responsibly managing exploits?

Trey Herr, Eric Wenger

Moderator: Katie Moussouris

3:30 to 4:20 p.m.

Designing a Government Vulnerability Equities Process

What are the most important criteria for vulnerability equities decisions? What are techniques for weighing tradeoffs? What data is needed to consider tradeoffs effectively? Are there considerations that are under-represented in today’s discussions?

Lucie Krahulcova, Lorenzo Pupillo, Sasha Romanosky

Moderator: Sven Herpig


Thomas Boué is the director general, policy—EMEA at BSA | The Software Alliance.

Kate Charlet is the director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace and former U.S. deputy assistant secretary of defense (acting) for cyber policy.

Michael Daniel is the former U.S. cybersecurity coordinator on the National Security Council staff and current president and CEO of the Cyber Threat Alliance.

Hans de Vries is the head of the National Cyber Security Centre of the Ministry of Justice and Security of the Netherlands.

Robert Hannigan is the former director of GCHQ of the United Kingdom and current senior associate fellow at RUSI.

Sven Herpig is the project director of the Transatlantic Cyber Forum for Stiftung Neue Verantwortung.

Trey Herr is a senior security strategist with Microsoft’s Global Security Strategy and Diplomacy team.

Lucie Krahulcova is an EU policy analyst at Access Now Brussels.

Ian Levy is the technical director of the National Cyber Security Centre of the United Kingdom.

Katie Moussouris is the founder and CEO of Luta Security.

Lorenzo Pupillo is an associate senior research fellow and head of the Cybersecurity@CEPS Initiative at the Center for European Policy Studies.

Sasha Romanosky is a policy researcher at the RAND Corporation and former cyber policy advisor in the U.S. Office of the Secretary of Defense for Policy.

Eva Schulz-Kamm is the head of Global Government Affairs at Siemens.

Ari Schwartz is the managing director of cybersecurity services for Venable’s Cybersecurity Risk Management Group.

Eric Wenger is the director for Cybersecurity and Privacy Policy, Global Government Affairs at Cisco.

Mathias Vermeulen is advisor to Marietje Schaake, member of European Parliament, on digital issues.