LONDON — The U.K. agency tasked with fighting cyberthreats on Thursday announced a new process for the public disclosure Vulnerability-related.DiscoverVulnerability of potentially sensitive software flaws , introducing a new level of transparency to its work . The National Cyber Security Centre laid out its new procedure , called the `` Equities Process '' in a blog post that details how it makes decisions on whether to make public Vulnerability-related.DiscoverVulnerability the discovery of new flaws . National security operations sometimes hold back from announcing Vulnerability-related.DiscoverVulnerability the discovery of security flaws in part because the bugs can be used to gather intelligence . “ There ’ s got to be a good reason not to disclose , ” said Ian Levy , technical director at the NCSC . The default position , the NCSC said , is to disclose Vulnerability-related.DiscoverVulnerability those vulnerabilities to the public after fixes have been made Vulnerability-related.PatchVulnerability . The government will only keep them confidential in rare instances , such as if there ’ s an overriding intelligence reason . Levy said withholding release of a bug will require high-level government sign-off . The goal is to prevent cyberattacks Attack.Ransom like “ WannaCry , ” which paralyzed computer systems around the world in May 2017 . The attack , which the U.S. has blamed on North Korea , wrought havoc within the U.K. ’ s National Health Service ( NHS ) by exploiting vulnerabilities in an outdated version of Microsoft Windows . WannaCry underscored the dangers of not patching Vulnerability-related.PatchVulnerability or updating Vulnerability-related.PatchVulnerability software . The NCSC ’ s disclosure policy follows one implemented by the White House in 2017 . The National Security Agency ( NSA ) had come under intense pressure from transparency advocates to disclose more about its work in the wake of WannaCry . “ The best defense against a cyberattack , whether it ’ s by criminals or nation states , is to keep your box up to date , ” said Levy . “ If you patch Vulnerability-related.PatchVulnerability your software , a lot of the stuff that we ’ ve found goes away. ” The vast majority of attacks are carried out by exploiting vulnerabilities already known to the vendors of the technology in question , Levy said . Such was the case when Russian cyberoperatives hacked into British telecoms companies in 2017 . Levy said the primary goal of more transparency is to “ bang the drum ” about basic cybersecurity , like patching Vulnerability-related.PatchVulnerability and secure network setups .