EFF v. NSA, ODNI - Vulnerabilities FOIA

A zero-day is a previously unknown security vulnerability in software or online services that a researcher has discovered, but the developers have not yet had a chance to patch. A thriving market has emerged for these zero-days; in some cases governments—including the United States—will purchase these vulnerabilities, which they can use to gain access to targets' computers.

In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the "Heartbleed" bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability. The government strongly denied the report, claiming it had a developed a new "Vulnerability Equities Process" (VEP) for deciding when to share vulnerabilities with companies and the public. The White House's cybersecurity coordinator further described in a blog post that the government had "established principles to guide agency decision-making" including "a disciplined, rigorous and high-level decision-making process for vulnerability disclosure." But the VEP itself was not shared with the public.

EFF filed a FOIA request for records related to these processes on May 6, 2014, and then filed suit against ODNI and NSA on July 1, 2014 to force disclosure of relevant documents. The government has agreed to release documents related to the VEP on an ongoing basis.

After first arguing that the VEP was classified, the government released a partially redacted version of the VEP policy document in September 2015. EFF is currently challenging those redactions.

The documents released so far are available on this page.

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Federal appeals court rules that sheriff’s threats against credit card companies violate the First Amendment https://www.eff.org/deeplinks...

Dec 1 @ 7:54pm

The TPP negotiations have ended but the fight to stop it is far from over. Here's how we're going to defeat it: https://www.eff.org/deeplinks...

Dec 1 @ 5:14pm

First-ever complete unmasking of FBI national security letter shows scope of spying, need for NSL challenges:
>> https://threatpost.com/nation...

Dec 1 @ 3:59pm
JavaScript license information