Does the FBI have to tell Apple of the vuln it used to break their iPhone? How many 0days every year go into the NSA arsenal — dozens, hundreds or thousands? Are there any grown-ups in Washington DC watching over FBI or NSA as they decide what vulns to disclose to vendors and which to keep to themselves? These are all key questions which have dominated so much of 2016, yet there’s been relatively little reliable information for us to go on, to learn what the Feds are up to and whether it passes any definition of reasonableness. Based on open-source research and interviews with many of the principal participants, this talk starts with the pre-history starting in the 1990s before examining the current process and players (as it turns out, NSA prefers to discover their own vulns, CIA prefers to buy). The current process is run from the White House with “a bias to disclose” driven by a decision by the President (in because of the Snowden revelations). The entire process was made public when NSA was forced to deny media reports that it had prior knowledge of Heartbleed. Bio: Jason Healy is a Senior Research Scholar at Columbia University’s School for International and Public Affairs. During his time in the White House, he coordinated efforts to secure the Internet and US critical infrastructure. He started his career as a US Air Force intelligence officer where he helped create the first joint cyber command, in 1998 and is a Senior Fellow at the Atlantic Council.