In the navy… With our vulnerabilities #
# They want you, they want you
They want you as a new recruit #
(With apologies to The Village People)
Guess who has been advertising for zero-day vulnerabilities?
None other than the US Navy!
As EFF researcher Dave Maass uncovered, the United States Navy’s Naval Supply Systems Command posted a request for vulnerabilities on FedBizOpps.gov, a site used by government agencies to post contracts on.
“This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software.
– These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others.”
“The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.”
“Based on the Government’s direction, the vendor will develop exploits for future released COmmon Vulnerabilities and Exposures (CVE’s).
The posting was swiftly deleted from FedBizOpps.gov after its discovery by Maass, but he has helpfully posted an archived copy of it here.
One likes to assume that the US Navy is planning to use the exploits to test and harden its own systems, rather than potentially exploit the computer systems of others.
One would also like to think that the US Navy would inform the likes of Adobe, Apple. Microsoft and Google if their search for vulnerabilities bubbled up any zero-day vulnerabilities that the rest of the world would appreciate being patched.
But in this day and age, who knows what their intentions are.
And now, the moment you’ve all been waiting for…
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.