Software Programs, Technology Security

The Whitehouse Says They Have Right to Withhold a Security Vulnerability

Whitehouse Logo The Whitehouse Logo

On Monday, as a follow up to the awareness around the Heartbleed bug and all of the rumors that circulated around it, The Whitehouse posted a blog clarifying their stance on how they approach vulnerabilities such as Heartbleed. In fact, the NSA categorically denied any knowledge of the Heartbleed bug officially on Twitter, even though they have been known to lie to Congress and the American people without hesitation, so their honesty is a little more than at question.

So, what exactly are they going to disclose and when? Well, there’s a nifty little check list that the Whitehouse has provided us with so that we know when an agency should withhold information from the public and when it should make it public.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

  • Does the vulnerability, if left unpatched, impose significant risk?

  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

  • How likely is it that we would know if someone else was exploiting it?

  • How badly do we need the intelligence we think we can get from exploiting the vulnerability?

  • Are there other ways we can get it?

  • Could we utilize the vulnerability for a short period of time before we disclose it?

  • How likely is it that someone else will discover the vulnerability?

  • Can the vulnerability be patched or otherwise mitigated?


So, basically, The Whitehouse and the administration of Obama are basically saying that if a vulnerability doesn’t really affect us too much, but can gain us lots of valuable intelligence we should keep our mouths shut. What is interesting about this supposed “rigorous” process for vulnerability disclosure is that there is no time limit set for how long they are allowed to wait until they disclose a vulnerability. There is no limitation on how long they can leave a vulnerability open if it passes all of these checks that they’ve established. They mention utilizing the vulnerability for a short period of time, but that doesn’t actually mean anything because a short period of time could be a day, a week, a month, or a year.

With the Heartbleed bug and the public disclosure around it, there were a lot of companies scrambling to patch the bug and some attacks that utilized it immediately after its disclosure. However, if left unpatched, Heartbleed could have disasterous implications and would give any government with knowledge of it almost unlimited access across the web. As a result, many people simply don’t believe that The Whitehouse and the NSA were unaware of such a bug, especially since the NSA had quietly exploited countless other bugs continually without any concern.

  • Kelemvor

    I don’t think it matters in most cases. Since when has the industry looked to the federal government to find and disclose vulnerabilities? Usually vulnerabilities are found by kids or actual security researchers. Heartbleed seems to be an exception to that. I’ve got more hope for researchers finding vulnerabilities in the future than for the government changing their ways.

    • e92m3

      I’m surprised that anyone actually finds this surprising.
      The people ‘asked’ (more like stamped their feet and screamed) for protection, this is how protection works.
      With regards to your comment, you’re correct. Really, the government watches mostly open-source or peer reviewed publications, tests and sometimes exploits. Occasionally, they may develop something internally, however there’s pretty much always going to be some sort of whitepaper on the topic.
      I mean come on, none of you actually thought they just bug-checked and didn’t potentially use their research to gain intelligence, right?