Software “vulnerabilities” are security flaws that can be exploited to launch cyberattacks. Normally the vendors of IT products seek to patch such bugs soon after they are discovered. This makes some “zero-day vulnerabilities” – the ones that vendors still do not know about –particularly valuable to a variety of actors, including the companies, national governments, and criminals. While some national governments retain zero-days without reporting them to vendors in cases where the vulnerabilities appear particularly valuable for national intelligence or military objectives, some corporations use “bug bounty programs” to encourage hackers and security researchers to report bugs they discover to the vendor. Export controls have also sought to limit the international trade of vulnerabilities and exploits, though such efforts have led to unintended consequences such as the disruption of international cybersecurity research collaborations. Katie Moussouris will discuss her extensive work at the cutting edge of cybersecurity policy innovation relating to the handling of zero-day vulnerabilities in the private sector, government, and international trade.