Heart bleed bug: Feds say they weren't exploiting security flaw for spying
The federal government emphasized that the US National Security Agency (NSA) did not know the Heartbleed bug had been compromising supposedly secure websites for at least two years and said it has not used Heartbleed for surveillance purposes.
The Obama administration said the NSA was not aware of Heartbleed until it was made public in a private sector cybersecurity report a few weeks ago.
The Office of the Director of National Intelligence James Clapper said in a statement that when "federal agencies discover a new vulnerability in commercial and open source software--a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it--it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."
Clapper said the White House had reviewed its policies in response to the recommendations of the President's Review Group on Intelligence and Communications Technologies that was established to review the surveillance practices of the NSA.
It said an inter-agency process called the Vulnerabilities Equities Process recommended that unless there is a clear national security or law enforcement need, the process is "biased toward responsibly disclosing such vulnerabilities."
One of the review group's recommendations in December 2013 was that US policy should ensure that Zero-day vulnerabilities are quickly blocked and the underlying vulnerabilities are patched on US government and other networks.
The group believes that in "rare instances," the policy of the government may briefly authorize using a Zero-day flaw for intelligence collection after inter-agency review involving all relevant departments at a senior level.
As to allegations that the US government introduced "backdoors" into commercially available software that permit the decryption of apparently secure software, the review group said it was not aware of any such incidents.
It did, however, advise the US government should make it clear that the NSA will not engineer vulnerabilities into encryption algorithms that guard global commerce.