EFF questions US government's software flaw disclosure policy

The government hasn't shown that it is improving its zero-day flaw notification efforts

It's not clear if the U.S. government is living up to its promise to disclose serious software flaws to technology companies, a policy it put in place five years ago, according to the Electronic Frontier Foundation.

The digital watchdog said on Monday it received a handful of heavily redacted documents from the Office of the Director of National Intelligence (ODNI), which it sued last July after it and the National Security Agency moved too slowly on a Freedom of Information Act (FOIA) request.

Last year, the EFF sought documents related to the U.S. government's efforts to beef up its Vulnerability Equities Process (VEP), a framework for notifying companies about zero-day vulnerabilities.

Those type of software flaws are considered the most dangerous since attackers are actively using the flaws to compromise computers, and there are no patches ready.

But there has been concern that the U.S. government may hold onto that kind of information for too long, putting at risk organizations that it is supposed to protect from foreign adversaries who may discover the vulnerabilities on their own.

The U.S. government has said it notifies companies of software flaws unless there is a compelling national security reason to withhold the information, such as to disrupt a planned terrorist attack, wrote Michael Daniel, cybersecurity coordinator and a special assistant to President Obama, in a blog post on the White House's website last July.

The EFF's FOIA request sought documents that showed how the U.S. had, as termed in Daniel's blog post, "re-invigorated" the VEP. The results were "surprisingly meager," wrote Andrew Crocker, a legal fellow with the EFF's civil liberties team.

The most useful document the EFF received was from 2010 but only recounted a brief history of the VEP. Other documents were so heavily redacted that the EFF had a hard time parsing the content, Crocker wrote.

Zero-day flaws are highly sought after. The U.S. government used several of them to seed Stuxnet, a worm that disrupted Iran's uranium enrichment program.

But pressure and continuing questions over the use of such information prompted a response from the government after Heartbleed, a critical vulnerability in the OpenSSL cryptographic library, was disclosed in April 2014. In a rare denial, ODNI said it did not know about Heartbleed before it became widely known, after a Bloomberg report alleged the NSA knew about it for two years.

Crocker wrote that the documents leaked by former NSA contractor Edward Snowden also showed that "the government apparently routinely sits on zero-days," which a presidential advisory group discouraged in December 2013.

"The VEP is supposedly an answer to these concerns, but right now it looks like just so much vaporware," he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Office of the Director of National IntelligencesecurityU.S. National Security AgencyExploits / vulnerabilitiesElectronic Frontier Foundation

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?