NSA must report security flaws — with some exceptions

spying is expensive nsa surveillance program may cost more than 35 billion seal

With the Heartbleed bug causing havoc and Dropbox users jumping ship it’s been another week in which data security and privacy have been making headlines. Now the New York Times has shed light on the NSA’s responsibilities when it comes to security flaws like Heartbleed: The Agency must report any vulnerabilities that it finds, unless there is “a clear national security or law enforcement need” to keep it hidden.

The guidelines were set down by the Obama administration back in January, but this part of the ruling has only come to light in the wake of Heartbleed. There has been some concern that the NSA may have been quietly using Heartbleed for years to serve its own purposes, something which the Agency has denied.

Thanks to the NYT, we now know more about the NSA’s responsibilities when it comes to any security holes that it comes across. The organization “is biased toward responsibly disclosing such vulnerabilities” said a spokeswoman, but that doesn’t mean that all bugs that the NSA digs up will be announced as a matter of course — any discoveries can be kept hidden and utilized for purposes of national security, if deemed necessary.

Ultimately, the decision rests with the government as to whether bugs such as Heartbleed should be reported to the technology community or exploited to gather data. A White House source quoted by the NYT said that giving up vulnerabilities automatically would put the country at a disadvantage: “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”