According to a New York Times report, President Barack Obama has said that the NSA must reveal any Internet vulnerability that it finds. But there's a catch. The security agency is not obligated to disclose vulnerabilities whenever there's “a clear national security or law enforcement need”.
The decision was made by the President in January when he started working on NSA reforms, but it wasn't publicly revealed until last Friday when the White House denied that it had any prior knowledge of Heartbleed, a security bug which has reportedly affected almost two-thirds of the internet, including Google, Facebook, Yahoo, and more.
“This process is biased toward responsibly disclosing such vulnerabilities,” said Caitlin Hayden, the spokeswoman for the National Security Council. Despite the assurance, the exception is being widely viewed as a loophole that will likely allow the NSA to continue to exploit security vulnerabilities.
There is already widespread concern that the security agency may have been secretly using the Heartbleed bug for years to serve its own purposes, something which the agency has denied. On the other hand, documents released by Snowden reveal that the security agency was already looking at ways to accomplish exactly what Heartbleed did through a program code-named 'Bullrun'.
A senior White House official, however, defended the decision. “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war”, he said.