Vulnerability Management

Documents on NSA’s zero-day policy provide little insight, EFF says


When the Electronic Frontier Foundation (EFF) sued the National Security Agency (NSA) over records regarding the government's alleged prior knowledge of Heartbleed, the privacy group hoped to gain insight into the agency's zero-day exploitation policy.

Within the heavily redacted pages of the obtained documents, however, a policy was nowhere to be found, the EFF wrote in a blog post on Monday.

The documents, including one “highlights” page from 2010, discuss the government's “Vulnerability Equities Process,” which is defined as a policy that “establishes a formal process that can serve as an example and foundation for future mission-bridging, agreements, information-sharing and policy.”

Other than that, not much else can be gleaned, said Andrew Crocker, fellow at the EFF.

“There really isn't a lot there,” he said in an interview with “It really doesn't give a lot of credence to what the government has been saying about how carefully they consider zero-days, and it doesn't support a rigorous decision-making process.”

While privacy advocates hoped the documents would expound on the government's zero-day decisions, at least one tech sector source believed the policy was pretty well communicated following the disclosure of Heartbleed.

A White House blog post from Michael Daniel, special assistant to President Obama and cybersecurity coordinator, stated that he considers multiple factors when withholding a vulnerability from the public.

He primarily asks how much a vulnerable system is used in core internet infrastructure, in critical infrastructure and generally in U.S. national security systems. Other considerations include how significant a risk the unpatched bug presents and how likely it is that someone else is exploiting it.

For Philip Lieberman, CEO of Lieberman Software, Daniel's post made the policy well-known, especially considering that most countries maintain zero-day arsenals, similar to the United States.

“No matter what we do, there's no good outcome with zero-days as long as the other side has them,” he said in an interview with “We're all dancing on the knife of the sword, and we're all bleeding as a result of this. It's nothing we want, but it's the world that we're in.”

Although Lieberman sees zero-days and governments' use of them as a part of a connected society, Jake Laperruque, fellow on privacy, surveillance and security at the Center for Democracy & Technology, told that the U.S. needs to begin having an open dialogue surrounding the policy.

Innocent internet users could be impacted, he said.

“A vulnerability that is used by our government could be used against our citizens by someone else,” he said. “Along those lines, given that these are inherent risks to all internet users, to some degree, there has to be a public conversation [to determine] appropriate use and how it could compromise user internet safety.”

These documents might have provided initial conversation fodder, but their lack of genuine information, sans redaction, makes it difficult, both he and Crocker said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.