Hope you all remember that a few weeks ago NSA have denied to knew about the Heartbleed vulnerability before its being exposed public. And the leaks of Edward Snowden reveal that finding bugs of this size is one of the agency’s main jobs, especially given the widespread use of the affected OpenSSL versions.
Since the Heartbleed vulnerability had been around for two years, it is not believed that the agency has not taken the advantage of the vulnerability.
Michael Daniel, White House cybersecurity coordinator says in a statement,
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,”The decision to share more information about how the agency works came after Heartbleed was exposed, actually. The agency said that it considered several things before deciding on whether to share the information it had on bugs and more specifically how the White House decided which vulnerabilities were withheld from the public.
Initially, the agency analyzes the severity of the bug and makes reports of the affected system by the vulnerability. After that, they find what the effect if the vulnerability is patched or unpatched.
Another thing is whether or not the agency can exploit the bug for a short period before disclosing it and whether anyone else is likely to spill the beans before them. “How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it?” Daniel Wrote.
“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake,” Daniel wrote.