After NSA Leaks, a Renewed Interest in Vulnerability Disclosure

The NSA hacking codes leaked by cybercriminal group Shadow Brokers has sparked a national conversation regarding vulnerability disclosure policies. The codes that were leaked consist of approximately a dozen firewall vulnerabilities that experts believe the National Security Agency (NSA) has been exploiting for years to spy on various foreign networks, while also putting other organizations around the world at risk. The Obama administration created the Vulnerability Equities Process (VEP), which “calls on intelligence agencies to disclose security vulnerabilities by default.” However, it appears NSA ignored these requirements and took advantage of a large number of zero-day vulnerabilities, allowing them to linger around. As a result, privacy activists and security pros have expressed the need for transparency in the government’s disclosure process. “If the government chooses to engage in lawful hacking, it must also support responsible disclosure,” explained Mozilla Senior Policy Manager Heather West. The recent revelations provide further evidence that the vulnerability disclosure policy is not working, as the government continues to put other organizations at risk for their own interests. Perhaps the NSA leak is exactly what was needed to shape true policy reform.