Governments unsurprisingly are trying to buy unpatched security exploits in the name of surveillance or cyber defence but refrain from admitting it.
US Navy however, was caught by the Electronic Foundation soliciting for unpatched security flaws.
The Electronic Foundation revealed that the US Navy is involved in soliciting of zero-day exploits and less than 6-months old vulnerabilities for comparatively more common software from Microsoft, Google and Apple.
This got exposed through the Navy’s request for solicitation on FedBizOpps. In the post, the Navy asked security researchers to sell them “their vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software.”
The solicitation was primarily for “0-day or N-day (no older than 6 months old)” bugs, which means the Navy was just interested in unpatched software that can be weaponized.
The US Navy acted quickly and took down the post. However, it was clearly evident that the military branch was trying to convert these flaws into “exploit binaries.” This means, the Navy wants to use the finished software for attacks.
Security researchers usually write programs in order to prove the harmfulness of security flaws but such a request from the Navy certainly raises questions about the government’s priorities.
At a time when the US is making arrangements for restricting the export of attacks like zero-day but on the other hand, it is encouraging security testers for selling them the information before informing developers.
This trading will expose users to hackers for an unnecessarily prolonged duration while the government gives general public the impression that it is fighting digital wars for their safety.
The Navy pulled the solicitation down after EFF’s Dave Maass tweeted about it, but EFF saved a copy. EFF is also suing the US government for a look at its Vulnerabilities Equities Process.