NSA zero days and encryption backdoors need clear disclosure policies

The government has another public balancing act on its hands with the disclosure this week of exploits against commercial security products that were purportedly cooked up by the NSA.

These attack tools revealed by a group called Shadow Brokers date from sometime before June 2013 and some of them were still effective this week, which means the NSA never told the vendors about them.

That helps flesh out what the Obama administration meant two years ago when it said that under most circumstances the NSA would tell vendors if it exploits vulnerabilities in their security products. The exception: the disclosure policy wouldn’t apply if there were a clear national security or law enforcement need.

To read this article in full or to leave a comment, please click here

Network World Tim Greene