Zero day vulnerabilities equities process under scrutiny in the US
Early this week, the Electronic Frontier Foundation, a public advocacy group in the United States, filed a Freedom of Information Act lawsuit against the US National Security Agency and the Office of the Director of National Intelligence, aiming for a ruling that would release documents describing the government's Vulnerabilities Equities Process behind the handling of zero-day vulnerabilities.
US cybersecurity coordinator, Michael Daniel, stated in a memo sent earlier this year that buying and stockpiling zero-days is essential to national security in allowing the government to decide when it will share information about security vulnerabilities in critical software applications.
However, it is the fact that the applications under scrutiny are not exclusively used by government agencies, but are also relied on by organisations, businesses and consumers, that makes the disclosure of the process appear to demand transparency. Without such transparency, the EFF contends, American companies and consumers will remain exposed to potentially serious threats that the government has already sought its own protection from.
Snowden's leaks alleged that the NSA was compromising popular software packages and undermining encryption technologies safeguarding online communication and commerce using zero days. More recently, the release of the Heartbleed OpenSSL vulnerability, though widely debated, is another example of such disparity of information disclosure.
Highlighting the Review Group on Intelligence and Communications Technologies' report, the EFF points out that the presidentially appointed Review Group recommends clarification of the government's zero-day disclosure policies, stressing "the importance of patching these critical vulnerabilities on public sector and commercial networks.”
So far neither the NSA nor the ODNI have responded to the suit.