Identified a security hole in a piece of well-known software? You could alert the maker to keep everyone safe — or you could sell it to the US Navy, which will buy the information from you in order to build software to exploit the hole.
Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants "access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software," including Microsoft, Adobe, Android, Apple, "and all others." If that weren't clear enough, the solicitation explains that "the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries."
Although this solicitation was posted on a publicly accessible site, it seems the Navy didn't want the attention and pulled it down the day after Dave tweeted about it. (We've uploaded the cached copy from Google.) Even so, the fact that the United States government is looking for vendors to sell it software vulnerabilities isn't news — we've known for some time that the government uses software vulnerabilities, sometimes known as zero-days, for offensive intelligence-gathering and espionage. The media has also reported on the government's purchases of zero-days from outside vendors.
What's more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we've explained before, the decision to use a vulnerability for "offensive" purposes rather than disclosing it to the developer is one that prioritises surveillance over the security of millions of users. To its credit, the government has acknowledged that this decision is an extraordinarily important one in every case. It has even reportedly "established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure," which it calls the Vulnerabilities Equities Process (VEP). The government says the VEP is entirely classified, and EFF is suing to get it released.
We're sceptical that any VEP that results in the "majority of cases, responsibly disclosing" the vulnerability to the vendor, as White House spokesman Michael Daniels claims, could possibly be consistent with a solicitation such as the one the Navy posted this week. It strikes us as unlikely that the Navy would spend a large sum of money to develop exploits only to turn around and disclose the underlying vulnerabilities back to the vendor. To put it simply, the government is soliciting information about security vulnerabilities no one knows about in products everyone relies on every day — but apparently not to fix them.
The Navy tried to send this particular solicitation down the memory hole, but we're hopeful that through our FOIA suit, we can shed more light on the conflict between the government's public statements and its apparent practices surrounding its stockpiling of zero-days.
This article first appeared on Electronic Frontier Foundation and republished here under Creative Commons licence.
Picture: US Navy