EFF sues NSA over hoarding details of zero day flaws

Alleges spy agency knew about Heartbleed and other flaws but kept quiet

Security exploits

The Electronic Frontier Foundation has filed a complaint against the NSA, alleging it knew about the Heartbleed bug for years before the public learned of its existence.

The internet freedom campaign organisation claimed that the NSA chooses where and when it informs the security community about zero-day flaws and is aiming to get the spy agency to be more transparent.

In April, it was revealed by Bloomberg News that the NSA had secretly exploited the Heartbleed bug in the OpenSSL for at least two years before the public knew of its existence. The US government denied the report and said it had developed a Vulnerability Equities Process for deciding when to share knowledge of exploits with firms and the public.

The White House explained in a blog at the time this process was to disclose flaws and said it had "established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure".

But in the same post said that the process had "no hard and fast rules".

The EFF said it had lodged a Freedom of Information request for records related to zero day flaws with both the NSA and the US Office of the Director of National Intelligence. It made the FOIA request on 6 May but has yet to have received any documentation. The privacy campaigners also want more detail on how intelligence agencies choose whether to disclose exploits.

"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," said EFF Legal Fellow Andrew Crocker. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."

EFF Global Policy Analyst Eva Galperin said that while spy agencies held onto zero day exploits, the wider community was left defenceless against hackers and cybercriminals as well as unfriendly foreign governments.

"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," she said.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

US gov issues fresh warning over Russian threat to critical infrastructure
cyber warfare

US gov issues fresh warning over Russian threat to critical infrastructure

12 Jan 2022
Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022