The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”
Although this solicitation was posted on a publicly accessible site, it seems the Navy didn’t want the attention and pulled it down the day after Dave tweeted about it. (We’ve uploaded the cached copy from Google.) Even so, the fact that the United States government is looking for vendors to sell it software vulnerabilities isn’t news—we’ve known for some time that the government uses software vulnerabilities, sometimes known as zero-days, for offensive intelligence-gathering and espionage. The media has also reported on the government’s purchases of zero-days from outside vendors.
What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we’ve explained before, the decision to use a vulnerability for “offensive” purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users.
The fact that the US Navy is looking to purchase zero-day and other security vulnerabilities should come as no surprise to anyone. What is surprising is this solicitation was publicly accessible. Considering the sensitive nature of such a request, I would not have expected to see this acquisition request in such a blatantly obvious location.