NSA Vows to Disclose Zero-Day Vulnerabilities

In a speech delivered at Stanford University, National Security Agency director Michael Rogers announced that the NSA will no longer stockpile "zero-day exploits", software glitches that could facilitate cyber espionage. In the past, the NSA has kept these vulnerabilities secret for use in counterintelligence. Admiral Rogers announced, "the default setting is if we become aware of a vulnerability, we share it." By disclosing vulnerabilities, the NSA allows software developers to fix the glitches and keep the internet more secure. Admiral Rogers recognized that "'a fundamentally strong Internet is in the best interest of the U.S.'" In December 2013, the President's Review Group on Intelligence and Communications Technologies recommended that "US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The Review Group report contains 45 other similar recommendations that EPIC generally supports and the White House has pledged to adopt. Earlier this year, the NSA's policies on zero-day exploits came under scrutiny when an glitch known as the "Heartbleed bug" threatened to undermine SSL encryption across the entire internet. For more information, see EPIC: In re EPIC and EPIC: NSPD-54 Appeal.


« "Toward a European 'Marco Civil'?" | Main | Post-Snowden, Social Media Users Concerned About Access to Personal Data »

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy