> I respect Bruce and he's done a ton of great work, but I obviously disagree with him on this point. I do not believe governments (especially ones engaged in clandestine surveillance operations) have an obligation to share security vulnerabilities with companies. But neither do those companies have an obligation to create vulnerabilities for the governments to exploit (on the contrary; the companies have an obligation to find and fix the holes in their products).
How do you determine if a vulnerability was there because it was overlooked in development, or if it was there because the government demanded it from the company but used the law to impose a gag order on the company preventing the public from finding out about it?
> How do you determine if a vulnerability was there because it was overlooked in development, or if it was there because the government demanded it from the company but used the law to impose a gag order on the company preventing the public from finding out about it?
You don't; but that's possible today with the way the gag orders and FISA courts work. That's a real problem around transparency in our legal system; which IMO is a different issue from transparency around security issues relating to privately-developed products.
That's a really interesting viewpoint. Thanks for sharing it.
In my opinion the government should be obliged to share the vulnerability for the purposes of the keeping the rest of the users safe from the same exploit, whether executed by the government or executed by somebody else.
In summary, I disagree with you but I'm glad I took the time to ask you about your view since I learned something new.
How do you determine if a vulnerability was there because it was overlooked in development, or if it was there because the government demanded it from the company but used the law to impose a gag order on the company preventing the public from finding out about it?