Thursday, May 08, 2014

[qyysuoow] Surveillance 0day time limit

Create a policy that a Signals Intelligence surveillance entity, e.g., NSA, must disclose zero-day vulnerabilities it knows about within a fixed period of time.  It can only exploit them for a limited time.  The general idea is, if they know about it, then so eventually could someone else, so it becomes in the national interest to patch it.  Furthermore, if they have successfully exploited the vulnerability, they should disclose that fact too, which helps in prioritizing the urgency of fixing it.

Perhaps also disclose the specific websites that have been exploited, so that customers of that site know that their data has potentially leaked, if not to the NSA, then to anyone else who also discovered the vulnerability.

No comments :