EFF questions US government's software flaw disclosure policy

31.03.2015
It's not clear if the U.S. government is living up to its promise to disclose serious software flaws to technology companies, a policy it put in place five years ago, according to the Electronic Frontier Foundation.

The digital watchdog said on Monday it received a handful of heavily redacted documents from the Office of the Director of National Intelligence (ODNI), which it sued last July after it and the National Security Agency moved too slowly on a Freedom of Information Act (FOIA) request.

Last year, the EFF sought documents related to the U.S. government's efforts to beef up its Vulnerability Equities Process (VEP), a framework for notifying companies about zero-day vulnerabilities.

Those type of software flaws are considered the most dangerous since attackers are actively using the flaws to compromise computers, and there are no patches ready. 

But there has been concern that the U.S. government may hold onto that kind of information for too long, putting at risk organizations that it is supposed to protect from foreign adversaries who may discover the vulnerabilities on their own.

The U.S. government has said it notifies companies of software flaws unless there is a compelling national security reason to withhold the information, such as to disrupt a planned terrorist attack, wrote Michael Daniel, cybersecurity coordinator and a special assistant to President Obama, in a blog post on the White House's website last July.

The EFF's FOIA request sought documents that showed how the U.S. had, as termed in Daniel's blog post, "re-invigorated" the VEP. The results were "surprisingly meager," wrote Andrew Crocker, a legal fellow with the EFF's civil liberties team.

The most useful document the EFF received was from 2010 but only recounted a brief history of the VEP. Other documents were so heavily redacted that the EFF had a hard time parsing the content, Crocker wrote.

Zero-day flaws are highly sought after. The U.S. government used several of them to seed Stuxnet, a worm that disrupted Iran's uranium enrichment program.

But pressure and continuing questions over the use of such information prompted a response from the government after Heartbleed, a critical vulnerability in the OpenSSL cryptographic library, was disclosed in April 2014. In a rare denial, ODNI said it did not know about Heartbleed before it became widely known, after a Bloomberg report alleged the NSA knew about it for two years.

Crocker wrote that the documents leaked by former NSA contractor Edward Snowden also showed that "the government apparently routinely sits on zero-days," which a presidential advisory group discouraged in December 2013.

"The VEP is supposedly an answer to these concerns, but right now it looks like just so much vaporware," he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Jeremy Kirk

Zur Startseite