The Electronic Frontier Foundation has filed a complaint against the NSA, alleging it knew about the Heartbleed bug for years before the public learned of its existence.
The internet freedom campaign organisation claimed that the NSA chooses where and when it informs the security community about zero-day flaws and is aiming to get the spy agency to be more transparent.
In April, it was revealed by Bloomberg News that the NSA had secretly exploited the Heartbleed bug in the OpenSSL for at least two years before the public knew of its existence. The US government denied the report and said it had developed a Vulnerability Equities Process for deciding when to share knowledge of exploits with firms and the public.
The White House explained in a blog at the time this process was to disclose flaws and said it had "established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure".
But in the same post said that the process had "no hard and fast rules".
The EFF said it had lodged a Freedom of Information request for records related to zero day flaws with both the NSA and the US Office of the Director of National Intelligence. It made the FOIA request on 6 May but has yet to have received any documentation. The privacy campaigners also want more detail on how intelligence agencies choose whether to disclose exploits.
"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," said EFF Legal Fellow Andrew Crocker. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."
EFF Global Policy Analyst Eva Galperin said that while spy agencies held onto zero day exploits, the wider community was left defenceless against hackers and cybercriminals as well as unfriendly foreign governments.
"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," she said.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are lying low in networks to wage critical infrastructure attacks - here’s how they do itNews Hackers are researching key IT workers in their bid to gain access to vital systems
-
ASUS, Cisco, Netgear devices exploited in ongoing Chinese hacking campaignNews Critical national infrastructure is the target of sustained attempts from state-sponsored hackers, according to Five Eyes advisories
-
US reveals bespoke tool that took down Russian malware operationNews Snake had been used to steal NATO countries’ data for 20 years
-
Move away from memory-unsafe languages like C and C++, NSA urgesNews The US agency advises organisations to begin using languages like Rust, Java, and Swift
-
US gov issues fresh warning over Russian threat to critical infrastructureNews The FBI, NSA and CISA have urged network defenders to be on "heightened alert" for Russian cyber attacks
-
NSA warns smartphone users of ‘large scale data tracking’News Common features like Bluetooth and Wi-Fi can reveal sensitive details about users like their daily routines
-
NSA hands serious flaw to Microsoft rather than use itNews Patch Windows 10 now, as the NSA has spotted a bug impacting security certificates
-
100GB of secret NSA data found on unsecured AWS S3 bucketNews The data related to a failed NSA cloud collaboration project
