Would the government have told us about Heartbleed? Should it?
The government says it did not know about the Heartbleed vulnerability in OpenSSL before it was publicly disclosed. But White House Cybersecurity Coordinator Michael Daniel says that if it had known, it might not have told us.
“In the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” Daniel wrote in a recent White House blog post. But not always. “Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”
Daniel goes on to explain some of the criteria used in deciding when and when not to disclose a serious vulnerability.
Over the years, the security community has come to a consensus on how to handle disclosure of security vulnerabilities in software. The discoverer first informs the product’s vendor, giving the company time to develop a patch or workaround before reporting it publicly. This protocol is not mandatory, however. Researchers can use the threat of disclosure to pressure vendors to respond to vulnerabilities, and some companies offer a bounty for new vulnerabilities to encourage researchers to cooperate. But the value of a new vulnerability can be much greater than a bounty.
In the end, how a vulnerability is handled depends on the motives and morals of the discoverer. For criminals, a good zero-day vulnerability—one for which no fix yet exists—is money in the bank. For governments, it can be an espionage tool or a weapon. The Stuxnet worm, an offensive weapon widely believed to have been developed by the United States and Israel, exploited several zero-day vulnerabilities.