US still hoarding zero-day app vulnerabilities, say EFF campaigners

Uncle Sam keeps security hole glory box locked tight

Sign outside the National Security Agency HQ

The Electronic Frontiers Foundation reckons America's spooks aren't living up to the Obama administration's 2014 statement that it would disclose more vulnerabilities than it hoarded.

In April 2014, the administration told the world it would only keep vulnerabilities back where its spooks thought it was vital for intelligence gathering.

The EFF didn't believe in the idea of a vulnerability Glasnost, however, and in July 2014 it sued the NSA seeking documentation of the “Vulnerabilities Equities Process” (VEP) the spooks use to justify holding 0-days.

The Office of the Director of National Intelligence (ODNI) has now handed over some documents to the EFF, and the group isn't pleased: all it got out for its pains was a bunch of “heavily redacted documents”, and a “highlights” document dating back to 2010.

The only thing the documents “reveal” is that before Stuxnet wormed its way around the Middle East, the spooks decided to create the VEP, presumably because work like Stuxnet demonstrated just how valuable a vulnerability could be.

The spooks realise that in assessing the worth of a vulnerability, they need to weigh up its value as an attack vector against the need to defend against it should someone else know about it.

The EFF's posted the documents it's secured so far here, and says it expects further redactions document releases in the near future. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017