EFF sues NSA for non-disclosure of 0day vulnerabilities

The Electronic Frontier Foundation (EFF) has filed a lawsuit against the US National Security Agency.

EFF requires, in accordance with the Law on Freedom of Information, to publish documents describing the rules that govern the government in deciding on the declassification of information about computer vulnerabilities.

It is likely that the lawsuit will be satisfied, since it exactly corresponds to paragraph 552 of the Law on Freedom of Information, regarding the “public importance” of declassified information. In this case, it will be the first step in preparing the process of public discussion of the NSA.

The agency previously indirectly made it clearthat under certain conditions does not disclose information about 0day vulnerabilities, using them to collect intelligence for national security purposes.

EFF lawyers stated the position that hiding information about vulnerabilities leads to the fact that users are defenseless before hackers and intelligence services of other countries.

Thus, as soon as the NSA officially recognizes that it conceals 0day vulnerabilities for its own needs, a new lawsuit may immediately follow from those who really suffered because of these unclosed vulnerabilities due to the NSA's fault.

“A thriving global market has been created in which many buyers, including US government agencies and foreign governments, buy 0day vulnerabilities,” the EFF statement said. - The terms of the transaction in this market usually require that the seller refuses to disclose vulnerability information to third parties. After that, the buyer decides how he will use the information received. "

The lawsuit mentions the known Heartbleed vulnerability in the OpenSSL library. There is reason to believe that the NSA knew about this vulnerability almost from the very beginning, that is, from its introduction in OpenSSL two and a half years ago. At least, it is known that the NSA has special departments for finding bugs in Open Source projects. The staff of these departments exceeds the number of volunteers working to improve the security of Open Source projects.