Has the NSA “poisoned the well” for responsible disclosure?
Revelations about the PRISM project involve US tech companies have been compelled to provide special assistance to US intelligence agencies. This has also drawn fresh attention to “responsible disclosure” systems regarding information about security vulnerabilities in those companies’ products.
Early access to security vulnerabilities, flaws in the code or design that would allow an attacker to gain privileged access to computers – from smartphones to servers – and the data they hold, is desired by governments. The information can then be used both in a defensive capacity (protecting their own systems) and offensive (attacking systems they would, for whatever reason, like access to).
A legal commercial market for security vulnerabilities exists. But many security researchers choose to disclose vulnerabilities to companies and agree to wait for a set period of time before publicly disclosing their findings. That is considered ‘responsible disclosure’.
However, a report by Bloomberg today highlights the arrangement between companies such as Microsoft and intelligence agencies through which advance information about vulnerabilities is disclosed. These disclosures will be done in the knowledge that the information can be used both defensively or offensively. No implication is made that these arrangements are legally compelled rather than voluntary.
But as the secret arrangements between US tech firms and intelligence services becomes a cause for concern, will this affect how disclosure arrangements are percieved? Will researchers see themselves as assisting US intelligence? If, when they share their findings with service providers, those service providers simply share the details with intelligence agencies, aren’t service providers undermining incentives to responsibly disclose? Will foreign governments regard their own citizens participating in responsible disclosure as providing electronic-arms to a foreign power?