Menu
EFF questions US government's software flaw disclosure policy

EFF questions US government's software flaw disclosure policy

The government hasn't shown that it is improving its zero-day flaw notification efforts

It's not clear if the U.S. government is living up to its promise to disclose serious software flaws to technology companies, a policy it put in place five years ago, according to the Electronic Frontier Foundation.

The digital watchdog said on Monday it received a handful of heavily redacted documents from the Office of the Director of National Intelligence (ODNI), which it sued last July after it and the National Security Agency moved too slowly on a Freedom of Information Act (FOIA) request.

Last year, the EFF sought documents related to the U.S. government's efforts to beef up its Vulnerability Equities Process (VEP), a framework for notifying companies about zero-day vulnerabilities.

Those type of software flaws are considered the most dangerous since attackers are actively using the flaws to compromise computers, and there are no patches ready.

But there has been concern that the U.S. government may hold onto that kind of information for too long, putting at risk organizations that it is supposed to protect from foreign adversaries who may discover the vulnerabilities on their own.

The U.S. government has said it notifies companies of software flaws unless there is a compelling national security reason to withhold the information, such as to disrupt a planned terrorist attack, wrote Michael Daniel, cybersecurity coordinator and a special assistant to President Obama, in a blog post on the White House's website last July.

The EFF's FOIA request sought documents that showed how the U.S. had, as termed in Daniel's blog post, "re-invigorated" the VEP. The results were "surprisingly meager," wrote Andrew Crocker, a legal fellow with the EFF's civil liberties team.

The most useful document the EFF received was from 2010 but only recounted a brief history of the VEP. Other documents were so heavily redacted that the EFF had a hard time parsing the content, Crocker wrote.

Zero-day flaws are highly sought after. The U.S. government used several of them to seed Stuxnet, a worm that disrupted Iran's uranium enrichment program.

But pressure and continuing questions over the use of such information prompted a response from the government after Heartbleed, a critical vulnerability in the OpenSSL cryptographic library, was disclosed in April 2014. In a rare denial, ODNI said it did not know about Heartbleed before it became widely known, after a Bloomberg report alleged the NSA knew about it for two years.

Crocker wrote that the documents leaked by former NSA contractor Edward Snowden also showed that "the government apparently routinely sits on zero-days," which a presidential advisory group discouraged in December 2013.

"The VEP is supposedly an answer to these concerns, but right now it looks like just so much vaporware," he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags Office of the Director of National IntelligencesecurityU.S. National Security AgencyExploits / vulnerabilitiesElectronic Frontier Foundation

Featured

Slideshows

Channel celebrates as HP marks 50 years in NZ

Channel celebrates as HP marks 50 years in NZ

HP marked 50 years in New Zealand at an event in the vendor's Auckland's headquarters last night, with a host of key channel figures coming along to celebrate. Photos by HP.

Channel celebrates as HP marks 50 years in NZ
EDGE 2017 - Icebreaker Sessions round 2

EDGE 2017 - Icebreaker Sessions round 2

EDGE guests experience the value of networking at the second round of Icebreaker sessions.. Photos by Maria Stefina

EDGE 2017 - Icebreaker Sessions round 2
EDGE 2017 Dinner Under the Stars

EDGE 2017 Dinner Under the Stars

EDGE's Day 2 keynote and breakout sessions were followed by the Dinner Under the Stars. Over 300 people were present to enjoy a seafood feast and lots of excitement at Hamilton Island's Bougainvillea Marquee. Photos by Maria Stefina.

EDGE 2017 Dinner Under the Stars
Show Comments