VPN Articles and News

EFF Questions American Government’s Software Flaw Disclosure Policy

Monday, June 29th, 2015

The Electronic Frontier Foundation (EFF), the leading non-profit group defending privacy and civil liberty in the digital world, has questioned American government’s commitment towards disclosing software flaws to the tech companies. Although the US government has a policy in place regarding the disclosure of the presence of severe vulnerabilities within software products, EFF says that the policy is not being enforced strictly. The policy was framed over five years ago to enable tech companies to fix serious flaws within their products before hackers and cyber criminals got a chance to exploit the newly discovered vulnerability.

The EFF made this announcement after receiving a set of documents from the Office of the Director of National Intelligence (ODNI). The heavily redacted documents were released in response to a case filed by the watchdog in July last year. The EFF was miffed at the slow pace of response from both the ODNI as well as the NSA regarding a Freedom of Information Act (FOIA) request and as a result, it decided to sue the ODNI in the court. The watchdog had sought information related to Vulnerabilities Equities Process (VEP), a policy framework that dictates how the US government notifies the tech companies about zero-day vulnerabilities.

A zero-day vulnerability (also known as zero day (or day zero) attack or threat) is a type of attack that exploits a previously unknown flaw in a software or operating system. Unlike the vulnerabilities that are known to software developers, a zero day vulnerability presents a short window and unique opportunity to hackers and criminals since there is no fix available for the flaw. It is not uncommon for hackers to sell previously unknown zero-day vulnerabilities to criminals or even to government agencies engaged in cyber warfare for hundreds or even thousands of dollars. As it can be imagined, a powerful zero-day vulnerability could wreak havoc in today’s digital world and affect millions of people from across the world.

Security experts have recently accused the U.S. government of withholding information related to discovery of new zero-day vulnerabilities for a considerable amount of time thereby putting American organizations and citizens at risk. However, cybersecurity coordinator Michael Daniel clarified in a post on White House’s site last year that the government informs tech companies of all new software flaws unless there is a reason not to disclose the vulnerability (such as disrupting future terror attacks).

While Daniel claims in his blog post that the US government had “re-invigorated” the Vulnerabilities Equities Process, EFF discovered that the results were far from satisfactory. Only one document received by the watchdog contained a brief history of the process while others were redacted to such an extent that it was almost impossible to decipher the content. When questions were raised last year that the NSA knew about the Hearbleed bug for two years before its existence became known to the public, the ODNI responded by saying that it did not had any prior information related to the vulnerability. Andrew Crocker, part of EFF’s civil liberties team, said that the documents leaked by Snowden also show that the government routinely delays releasing information related to zero-day vulnerabilities. He also said that the VEP should be the answer to all such concerns but as of now, it is not.

June 29, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 5 =