The Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) to gain access to documents that will reveal how intelligence agencies handle sharing information about security holes in software and hardware that they discover or purchase. This process will help reveal if these intelligence agencies allow computers, intentionally to be vulnerable so that they can exploit these vulnerabilites both in thier country and worldwide.
A zero day can be defined as " a previously unknown security vulnerability in software or online services that a researcher has discovered, but the developers of that software have not yet had a chance to patch". There is a large underground market for these zero days; in some cases governments—including the United States—will purchase these vulnerabilities, which they can use to gain access to targets' computers and will not disclose them leaving their entire nations computers vulnerable to the people who have access to these zero days.
Few months ago, Bloomberg released an article alleging that the NSA had secretly exploited the "Heartbleed" OpenSSL bug for at least two years before this critical vulnerability was made public. The government denied it all, claiming it has a new "Vulnerability Equities Process" for deciding when to share vulnerabilities with companies and the public.
The White House's cybersecurity coordinator further described in a blog post that the government had "established principles to guide agency decision-making" including "a disciplined, rigorous and high-level decision-making process for vulnerability disclosure." But the content of those principles has not been shared with the public.
EFF filed a FOIA request for records related to these processes on May 6 but has not yet received any documents, despite ODNI agreeing to expedite the request.
"This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."
"Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors," Global Policy Analyst Eva Galperin said.