A solicitation on FedBizOpps from the Navy asks security researchers to sell them their "vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software."
They're only interested in "0-day or N-day (no older than 6 months old)" bugs, meaning bugs that can be weaponized because no patch for them exists or has been widely applied.
The Navy, therefore, is seeking to secure America by ensuring that the "widely used and relied upon commercial software" that Americans depend on remains unpatched and vulnerable, so that it can attack its enemies, who use the same software, and they're conveniently ignoring the fact that their enemies can use those same bugs the Navy wants to hoard to attack American individuals, governments and companies.
The Navy pulled the solicitation down after EFF's Dave Maass tweeted about it, but EFF saved a copy. EFF is also suing the US government for a look at its Vulnerabilities Equities Process, which the USG bills as a "disciplined, rigorous and high-level decision-making process for vulnerability disclosure," but whose details are shrouded in mystery.
What's more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we've explained before, the decision to use a vulnerability for "offensive" purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users. To its credit, the government has acknowledged that this decision is an extraordinarily important one in every case. It has even reportedly "established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure," which it calls the Vulnerabilities Equities Process (VEP). The government says the VEP is entirely classified, and EFF is suing to get it released.We're skeptical that any VEP that results in the "majority of cases, responsibly disclosing" the vulnerability to the vendor, as White House spokesman Michael Daniels claims, could possibly be consistent with a solicitation such as the one the Navy posted this week. It strikes us as unlikely that the Navy would spend a large sum of money to develop exploits only to turn around and disclose the underlying vulnerabilities back to the vendor. To put it simply, the government is soliciting information about security vulnerabilities no one knows about in products everyone relies on every day—but apparently not to fix them.
The Navy tried to send this particular solicitation down the memory hole, but we're hopeful that through our FOIA suit, we can shed more light on the conflict between the government's public statements and its apparent practices surrounding its stockpiling of zero-days.
Damn the Equities, Sell Your Zero-Days to the Navy!
[Nate Cardozo and Andrew Crocker/EFF]
