The National Security Agency is opening up a bit about how it discloses security exploits… though not by much. Officials have posted an infographic boasting that the NSA shares details about 91 percent of the security flaws it finds, with the remaining 9 percent either fixed by vendors first or held back for “national security reasons.” As it argues, it’s in the country’s best interests to protect the internet by “responsibly” letting software developers know about these dangerous bugs. There wouldn’t be much point to holding back on these details if it wrecked the internet, the surveillance outfit says.
This sounds altruistic on the surface, but critics argue that the NSA is playing a shell game in an attempt to distract from the real problems. The issue isn’t so much how many exploits are revealed as when they’re revealed. After all, it isn’t exactly generous to keep vulnerabilities secret, use them to spy on people, and talk about them only after you’ve gathered the intelligence you need. And of course, not all exploits are created equal. Disclosing a raft of minor, easily fixed security holes doesn’t matter much if you keep the bigger examples to yourself. The NSA’s figures would only be meaningful if the organization always revealed exploits to companies as soon as possible, no matter how serious those flaws might be.