A NEWLY RELEASED document from the FBI sheds a little more light on the government’s controversial policy around the use of zero-day exploits. Though there is still much we don’t know, the question of when the secretive policy was put into place is finally answered: February, 2010.
It wasn’t until last year that the government even admitted to using zero-day exploits for attack purposes. Following that disclosure, the White House then revealed that it had established an Equities process for determining when a zero-day software vulnerability it learns about should be disclosed to a vendor to be fixed or kept secret so that the NSA and other agencies can exploit it for intelligence or law enforcement purposes.
The question was when exactly the policy had been established.
Zero-day vulnerabilities are software security holes that are not known to the software vendor and are therefore unpatched and open to attack by hackers and others. A zero-day exploit is the malicious code crafted to attack such a hole to gain entry to a computer. When security researchers uncover zero-day vulnerabilities, they generally disclose them to the vendor so they can be patched. But when the government wants to exploit a hole, it withholds the information, leaving all computers that contain the flaw open to attack—including U.S. government computers, critical infrastructure systems and the computers of average users.