Federal agencies served with a Freedom of Information Act request are refusing to release documents related to their purchase, use and disclosure of zero-day exploits, keeping the American public in the dark about a practice that leaves the Internet and its users less secure.
Zero-day exploits are special software programs that take advantage of security vulnerabilities in software that are unknown to the software’s manufacturer. These exploits are frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement agencies. But they can be used by any hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone else. Zero-day vulnerabilities and the tools that exploit them are extremely powerful, because there is very little that potential targets can do to protect themselves.
But the effectiveness of such exploits depends on their secrecy—if the companies that make the affected software are told about the flaws, they will issue software updates to fix them. Governments thus have a strong incentive to keep information about the exploits they have developed or purchased secret from both the public and the companies who create the software we all use. Continue>>>