The American Civil Liberties Union reports that federal agencies are not releasing documents sought under the Freedom of Information Act about the use of zero-day exploits. As the ACLU explains, “Zero-day exploits are special software programs that take advantage of security vulnerabilities in software that are unknown to the software’s manufacturer. These exploits are frequently used by intelligence agencies and the military as well as, we suspect, by federal law enforcement agencies. But they can be used by any hackers, whether they work for the U.S. government, a foreign government, a criminal group, or anyone else. Zero-day vulnerabilities and the tools that exploit them are extremely powerful, because there is very little that potential targets can do to protect themselves.” Government policy is to reveal any flaws in Internet security to companies while retaining the discretion to withhold warnings in certain instances. (ACLU, March 3, 2015, by Sonia Roubini)
The Obama administration clarified its position on zero-day exploits in December of 2013 saying it did not stockpile the exploits and that it was rare to withhold disclosure,“…in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection.” It also said decisions to withhold were made only with extensive review by appropriate federal agencies and departments and would have an expiration date. (Wired, November 11, 2014)