Vulnerabilities within pieces of software can expose otherwise secure data to outside parties. Such vulnerabilities are exploited not just by malicious actors looking to exploit secured data for criminal reasons, but also by law enforcement and intelligence agencies. Government agencies have cultivated vulnerabilities as investigative tools and cyber weapons, and at times keep the vulnerabilities they have discovered secret from both the companies that produced the software and the consumers who rely upon it. While the US Government has created a vulnerability disclosure system to help decide when to keep a vulnerability secret, it does not do enough to balance the government’s national security and law enforcement interests with the data security interests of the public. As debates over government access to encrypted data continue, a strong legal framework for deciding when and how government actors can keep vulnerabilities secret must be established.
The Secrets We Keep…: Encryption and the Struggle for Software Vulnerability Disclosure Reform,
Mich. Tech. L. Rev.
Available at: https://repository.law.umich.edu/mtlr/vol25/iss1/4