After Heartbleed, NSA reveals some flaws are kept secret

The White House explains the government’s process when deciding whether to withhold knowledge of a security vulnerability -- “There are legitimate pros and cons to the decision to disclose.”

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read


It's no secret that the National Security Agency is full of secrets. But, in a rare move, the White House disclosed Monday a bit more about how the NSA works.

In a blog post, White House cybersecurity coordinator Michael Daniel detailed when the NSA keeps security vulnerabilities under wraps and when it lets the public know they exist.

"Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest," Daniel wrote. "But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run."

Earlier this month, news of the massive Heartbleed bug reverberated across the Internet showing how easily people's online data could be accessed. This particularly nasty vulnerability -- which has the capability to potentially extract people's usernames, passwords, and credit card information -- is said to have affected up to 500,000 websites, including Google, Facebook, Yahoo, and many more.

Initially, it was reported that the NSA was aware of Heartbleed and failed to let the American public know about its existence, but the agency was quick to deny those allegations.

In his blog post, Daniel reiterates that the government had no knowledge of Heartbleed.

"While we had no prior knowledge of the existence of Heartbleed, this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public," Daniel wrote.

For the most part, the government discloses vulnerabilities, Daniel said. But there are times, he said, when it's beneficial to withhold knowledge of certain flaws. Those instances include collecting intelligence that could "thwart a terrorist attack" or "stop the theft of our nation's intellectual property."

Several government agencies have put together a set of principles they use when deciding whether to disclose vulnerabilities. If the government does decide to keep a security flaw secret, it goes through a series of questions about why it made that decision, including the possible risk, exploitability, and reach of the bug.

"There are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," Daniel wrote. "This interagency process helps ensure that all of the pros and cons are properly considered and weighed."