White House Details Zero-Day Bug Policy

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/author.asp?section_id=314&doc_id=1204483

By Mathew J. Schwartz
Dark Reading
4/15/2014

NSA denies prior knowledge of the Heartbleed vulnerability, but the White 
House reserves the right to withhold zero-day exploit information is some 
cases involving security or law enforcement.

The White House and National Security Agency have strongly denied reports 
that the NSA had known about the Heartbleed vulnerability in OpenSSL for 
years and was actively exploiting it for intelligence-gathering purposes.

Those allegations appeared Friday in a Bloomberg News report -- citing 
unnamed sources -- claiming the NSA kept secret details about the 
Heartbleed vulnerability for at least two years. The vulnerability (a.k.a. 
CVE-2014-0160), which can be used to spoof and steal encrypted information 
from millions of vulnerable websites, was recently discovered and made 
public by Google engineer Neel Mehta and Finnish security firm 
Codenomicon.

But the NSA -- via Twitter -- and the Obama administration quickly 
disputed the Bloomberg report. "NSA was not aware of the recently 
identified vulnerability in OpenSSL, the so-called Heartbleed 
vulnerability, until it was made public in a private sector cybersecurity 
report," read a statement released Friday by the Office of the Director of 
National Intelligence (ODNI). "Reports that say otherwise are wrong." The 
ODNI also noted that the federal government relies on OpenSSL to secure 
government websites, and claimed that if any agency -- including the NSA 
-- had previously discovered the vulnerability, "it would have been 
disclosed to the community responsible for OpenSSL."

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/