EFF sues NSA for not disclosing 0day vulnerabilities

Electronic Frontier Foundation (EFF) has filed a lawsuit against the US National Security Agency.

The EFF requires, in accordance with the Freedom of Information Act, to publish documents describing the rules that guide the government in making decisions about declassifying information about computer vulnerabilities.

It is likely that the claim will be satisfied, since it exactly corresponds to paragraph 552 of the Law on Freedom of Information, in terms of “public importance” of declassified information. In this case, it will be the first step in preparing the process of public discussion of the activities of the NSA.
')
The agency has already indirectly made it clear that under certain conditions it does not disclose information about 0day-vulnerabilities, using them to gather intelligence for national security purposes.

EFF lawyers said the position that hiding information about vulnerabilities leads to the fact that users are vulnerable to hackers and intelligence services of other countries.

Thus, as soon as the NSA officially acknowledges that it is hiding 0day vulnerabilities for its own needs, a new lawsuit can immediately follow from those who have really suffered because of these unclosed vulnerabilities due to the fault of the NSA.

“A thriving global market has been created, in which many buyers, including US government agencies and foreign governments, buy 0day vulnerabilities,” the EFF said in a statement of claim. - The terms of the transaction in this market usually require the seller to refuse to disclose vulnerability information to third parties. After that, the buyer decides how he will use the information received. ”

The statement of claim mentions the known Heartbleed vulnerability in the OpenSSL library. There is reason to believe that the NSA knew about this vulnerability almost from the very beginning, that is, from its introduction into OpenSSL two and a half years ago. At least, it is known that the NSA has special departments for finding bugs in Open Source projects. The staff of these departments exceeds the number of volunteers working to improve the security of Open Source projects.