Compliance Management, Threat Intelligence, Privacy, Vulnerability Management

Document: U.S. gov’t OKs exploiting certain zero-days during investigations

Documentation entered into public record last week acknowledged that in some cases the U.S. government condones the exploitation ofzero-day vulnerabilities in software for intelligence and law enforcementpurposes rather than alerting the software manufacturer or public of thesecurity flaw.

The U.S. government's “VulnerabilitiesEquities Process” (VEP), which delineates the procedure for determining ifa vulnerability should be disclosed or withheld, was disclosed in response to a Freedom ofInformation Act (FOIA) lawsuit filed by watchdog group the Electronic FrontierFoundation (EFF). The U.S. originally submitted a highly redacted version ofthe VEP in September 2015, but a subsequent court challenge by the EFFled to this latest version with fewer blacked-out passages.

The VEP stated that the discovery of vulnerabilities “maypresent competing equities for USG offensive and defensive mission interests,”and that these equities must be weighed before determining whether or not todisseminate the information.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.