US Navy Wants To Buy Your Software’s Zero-Day Vulnerabilities
There are plenty of software engineers and hackers out there whose job is to search for a software’s security loopholes, flaws, and zero-day vulnerabilities to patch them before they are discovered and exploited by hackers. Google themselves have such an initiative in place where they take it upon themselves to try and discover as many flaws as possible.
While these flaws could be used by hackers for malicious purposes, it seems that the US Navy seems these flaws as a potential way to gather intelligence on their targets. This was discovered by Dave Maass (via EFF) through a posting made on FedBizOpps, which is a site used by government agencies to post contracts on.
According to the posting, it requires that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.” It also appears that they are seeking for vulnerabilities in commonly used software from the likes of Microsoft, Apple, and Google.
Unsurprisingly the posting has since been taken down. While the US government has policies in place for disclosing exploits, the fact that they are looking to purchase said exploits is a bit worrying as developers might be more inclined to sell the information to the US government as opposed to informing the company behind the software who may or may not pay them for their efforts.