Surprise! WikiLeaks won’t just hand over details of zero-day vulnerabilities to tech firms

Sigh… there are strings attached.

Surprise! WikiLeaks won't just hand over details of zero-day vulnerabilities to tech firms

Remember those brief days of sunlight when we held out hope WikiLeaks might have stopped acting like arses, and might have decided to act in the interests of everyone who relies upon technology for their security and privacy?

Well, as predicted, there are clouds on the horizon.

As Motherboard reports, WikiLeaks’ Julian Assange may be making unreasonable demands about how he will share details of the alleged zero-day vulnerabilities that have been leaked from the CIA:

This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.

WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources. It’s unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.

Is 90 days a reasonable time to fix a vulnerability?

I think that’s very hard for someone outside of a technology vendor’s programming and quality assurance team to say with any confidence.

Sign up to our free newsletter.
Security news, advice, and tips.

It makes me very uncomfortable when outsiders make determinations of how hard a problem should take to fix (and, of course, how long it will take to test that the fix works reliably in all scenarios and setups), when they have no knowledge of what else teams might be working on – including other vulnerabilities they might already be working hard at fixing – some of which may be of even higher importance.

Of course, I don’t think we should allow technology firms with unpatched vulnerabilities in their software and hardware to rest on their laurels, or treat it as anything less than serious.

But I also want to feel confident that bugs are patched properly and that fixes do not themselves introduce more problems than the problem they are trying to address.

Who is Julian Assange qualified to say that 90 days is enough? There are ways of putting pressure on technology firms to fix bugs, and highlight if you think they are taking too long, without dangling a sword of Damocles over their heads if flaws are not fixed on your own determined schedule.

You can hear some of my personal concerns about whether WikiLeaks will share details of the alleged zero-day vulnerabilities with technology firms in this week’s “Smashing Security” podcast, where I was joined by Carole Theriault and special guest Nick FitzGerald.

The discussion about WikiLeaks starts at about 10 minutes in, but you might enjoy the rest of the podcast too!

Smashing Security #012: 'Eau de Eugene Kaspersky'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

15 comments on “Surprise! WikiLeaks won’t just hand over details of zero-day vulnerabilities to tech firms”

  1. Endrik

    It's not that hard to fix. If they can't do it in 90 days, then there's something really wrong. Something that urgent has to be done quick.

    1. Graham CluleyGraham Cluley · in reply to Endrik

      What's not that hard to fix? How do you know it's not hard to fix? How do you know how long it takes to properly test that the fix works in all environments reliably and doesn't introduce its own problems? How do you know what else the vendor's team is currently working on that might be of greater importance to the testing team than what WikiLeaks is planning to disclose in 90 days? Should WikiLeaks' vulnerabilities be considered of greater importance just because they're creating an almighty stink about them?

      The truth is that we don't know the answers to any of these questions. We don't know the detail of what the vulnerabilities are, and WikiLeaks doesn't know how difficult they are to fix.

      They should share the details with the vendors without any strings attached. If they feel that the vendor is taking too long to fix them WikiLeaks could demonstrate the flaws to journalists to apply more pressure. Releasing proof-of-concept code or details that could aid other criminals does no good to any of us.

      1. Itisi · in reply to Graham Cluley

        If Wikileaks has them, the exploits should already be deemed 'out there'. I think 90 days is reasonable; Google's ProjectZero also uses 90 days before it makes their findings public.
        I think the reason Wikileaks uses this hard deadline is that it prevents vendors from keeping said exploits in their code, f.e. in the case such a backdoor has been ordered by a national security agency or government. And face it, even if a vendor refuses to sign off Wikileaks' request, the exploits will be made public anyway (or worse, exploited in the wild).
        PS: has anyone performed a traceroute on wikileaks.org? Now that smells fishy.. (Mir Telematiki Ltd, Moscow, Russia)

  2. Kev whelan

    90 days is plenty.

    Someone needs to put pressure on Vendors and as we have seen it is certainly not going to be any Government……

    No pressure, no fix. Same as potholes in the road.

    1. Graham CluleyGraham Cluley · in reply to Kev whelan

      There are ways of applying pressure without handing tools to others which will enable them to exploit these flaws.

      I'm sure the vendors will be keen to fix the security holes as fast as they can. But it's not for WikiLeaks to demand it is done in 90 days with threats of disclosure.

  3. 0day

    90 days is pretty normal for responsible disclosure. The only ass here is the author.

    1. Graham CluleyGraham Cluley · in reply to 0day

      Arse not ass.

      But anyway, I think the "90 days" figure grew to prominence from Google's Project Zero team. They have brought Google into disrepute by releasing proof-of-concept code which exploits security vulnerabilities in other vendors' software before a patch is released – sometimes putting regular internet users at risk while failing to get Android's broken patching infrastructure sorted out.

  4. Annoyed reader

    The author's only intention here seems to be a little flame-baiting against WikiLeaks, as he has no clue of the actual contents of the documents nor is the grace period of 90 days something uncommon.

    Wondering why this pointless post appeared on my Flipboard. Reported it.

    1. Graham CluleyGraham Cluley · in reply to Annoyed reader

      WikiLeaks gets plenty of flames as it is – probably doesn't need more from me!

      I don't see how WikiLeaks would be helping the typical internet users by releasing details of vulnerabilities after 90 days. If they want to apply pressure on vendors to patch bugs there are better ways of doing it.

  5. Etaoin Shrdlu

    No software company would ever have any qualms about "committing" to a 90 day deadline. They routinely commit and then fail to deliver on time. What is Julian going to do, get Ecuador to sue?

  6. Jay

    I would bet Wikileaks will soon be made redundant in this debate anyway. News says they weren't the first to get this material, and I have to think every hacker group on the planet was out there trying to get a copy from the moment the news broke.

  7. Bob

    An update from The Register – it appears that the vendors are afraid of fixing the issues for fear of jeopardising their lucrative contracts with the government:

    "There's also the little hitch that these tools are classified US government property, and the tech giants are uneasy with handling this material, especially since they do lucrative contract work for Uncle Sam and have rules in place on who, internally, can and can't access sensitive reports and blueprints."

    https://www.theregister.co.uk/2017/03/18/friday_security_roundup/

  8. Sean

    This is very poor Graham, as I researcher I regularly reverse patches and fully support the view that 90 days is sufficient. I understand why a lot of American and British "experts" in "cybersecurity" find reason to attack Wikileaks, for many Assange is undermining deep rooted and jingoistic tendencies that comes from an industry that sucks the government tit at every given opportunity.

    To float the idea that 90 days is not enough time is ridiculous and I suggest you know it is regardless of what you commit to print. Its worth remembering the limitations placed on Wikileaks, more accurately on Assange himself; regardless of personal traits he has shown more courage and commitment to his beliefs in a way that I doubt most "experts" can ever understand not least accept. Disappointed Graham.

    1. Graham CluleyGraham Cluley · in reply to Sean

      Thanks Sean.

      I'm genuinely sorry to have disappointed you. But if you look back on my previous articles you'll realise that my position has nothing to do with WikiLeaks being involved in this.

      I have been equally critical of Google, for instance, who were the main standard bearers for the "90 days is enough time to properly fix a vulnerability" position.

      I believe that releasing exploit code and putting that power in the hands of any Tom, Dick and Harry should always be a last resort, and one not to be taken lightly. As I have described before there are ways to pressure companies who you believe are being slowly to patch bugs without sharing the details of how to do it to the world.

  9. Dave Howe

    If all it is, is a 90 day deadline, then that's all Google themselves give other people to fix their issues; MS have made a big thing out of the occasions they have ran out that 90 day clock and Google has went and published anyhow.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.