Document: U.S. gov't OKs exploiting certain zero-days during investigations
The U.S. government's “Vulnerabilities Equities Process” (VEP) document describes the procedure for determining if a vulnerability should be disclosed or withheld from the public.
Documentation entered into public record last week acknowledged that in some cases the U.S. government condones the exploitation of zero-day vulnerabilities in software for intelligence and law enforcement purposes rather than alerting the software manufacturer or public of the security flaw.
The U.S. government's “Vulnerabilities Equities Process” (VEP), which delineates the procedure for determining if a vulnerability should be disclosed or withheld, was disclosed in response to a Freedom of Information Act (FOIA) lawsuit filed by watchdog group the Electronic Frontier Foundation (EFF). The U.S. originally submitted a highly redacted version of the VEP in September 2015, but a subsequent court challenge by the EFF led to this latest version with fewer blacked-out passages.
The VEP stated that the discovery of vulnerabilities “may present competing equities for USG offensive and defensive mission interests,” and that these equities must be weighed before determining whether or not to disseminate the information.