| > > This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities. > Nothing about this statement makes me believe that they were unaware of Heartbleed, specifically because it seems to imply that they don't stockpile vulns that they find, which we know that they do. Are you just trying to be obtuse here? The very paragraph you quoted says they are biased towards disclosing, not 100% committed to disclosing. They admit right there that it's possible they would discover a vulnerability and not disclose it. But the part of the statement you left out is that Heartbleed in particular would only have met their criteria for disclosure due to the great danger to USG systems and systems used by private U.S. persons and entities. > I suspect that this isn't true, especially if the US government isn't using OpenSSL for their internal security. The USG uses OpenSSL everywhere. Even USG can't run MS everywhere, and there's not exactly a ton of options for their many Linux, BSD and UNIX-based systems. Even worse, they likely use OpenSSL in places that no one in particular knows about. It wouldn't surprise me one bit to find out that some of those 300,000 systems still vulnerable belong to government agencies. > If we're going with anecdotes, I've met a couple of military contractors who claimed to have known of Heartbleed ahead of the public disclosure by non-trivial periods of time. Non-trivial as in? If they hear about it while Google is developing a fix (and logo) as you seem to be implying, that's preferential disclosure, not NSA holding onto a vuln from the day it came out. |