EFF v. NSA, ODNI - Vulnerabilities FOIA

EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation. In response to EFF's lawsuit, the government released the VEP to the public in January 2016.

A zero-day is a previously unknown security vulnerability that a researcher has discovered, but the developers have not yet had a chance to patch. A thriving market has emerged for these zero-days; in some cases governments—including the United States—will purchase these vulnerabilities, which they can use to gain access to targets' computers.

In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the "Heartbleed" bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability. The government strongly denied the report, claiming it had a developed the VEP for deciding when to share vulnerabilities with companies and the public. The White House's cybersecurity coordinator further described in a blog post that the government had "established principles to guide agency decision-making" including "a disciplined, rigorous and high-level decision-making process for vulnerability disclosure." But the VEP itself was not shared with the public. EFF filed a FOIA request for records related to these processes on May 6, 2014, and then filed suit against ODNI and NSA on July 1, 2014 to force disclosure of relevant documents. In response to EFF's briefs pointing to the government's extensive public statements about the VEP, the government released a largely unredacted version of the document in January 2016. In March 2016, a federal court in San Francisco upheld the few remaining redactions. Other documents released as part of the lawsuit are also available on this page.  

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Here's a 360-degree photo of some of the volunteers who've gathered 415+ California database catalogs https://www.facebook.com/eff/... #datahunt

Aug 27 @ 2:31pm

Unless stopped, European user content sites may be forced to do revenue-sharing deals with entertainment companies https://www.eff.org/deeplinks...

Aug 26 @ 3:52pm

Leaked European copyright proposal would cause massive changes to Internet platforms and news sites as we know them https://www.eff.org/deeplinks...

Aug 26 @ 1:06pm
JavaScript license information