Assange chastises companies that haven't responded to CIA vulnerability offers

Assange chastises companies that haven't responded to CIA vulnerability offers
© Getty Images

WikiLeaks head Julian Assange is slamming companies for not taking the site up on its offer to share security flaws the CIA exploited in their products. 

In a screen-shot statement tweeted on Saturday, WikiLeaks noted that "Organizations such as Mozilla" have responded to the site's emails offering to publish unreleased security vulnerabilities from leaked CIA files. "Google and other companies" have not.

"Most of these lagging companies have conflicts of interest due to their classified work with US government agencies. In practice such associations limit industry staff with US security clearances from fixing holes based on leaked information from the CIA. Should such companies choose to not secure their users against CIA or NSA attacks users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts," the statement read.

ADVERTISEMENT
WikiLeaks recently published a trove of files leaked from the CIA, including descriptions of hacking techniques. The site made an effort to redact source code showing how to actually accomplish the techniques, although enough code slipped through the cracks for researchers to reverse engineer at least one of the security flaws. 

On Friday, Cisco announced it was patching a vulnerability found in the files. 

Experts have questioned whether the government would crack down on companies that took WikiLeaks up on their offer.

Assange's statement also dismissed media reports that companies pushed back against a time limit to fix vulnerabilities shared over emails, saying firms gave no response whatsoever to emails offering information. 

Many researchers that hunt for unknown security flaws — including Google's research arm — give a time limit to repair vulnerabilities before releasing them to the public. It is seen as a way to encourage prompt responses to threats. Some vendors, particularly during years cybersecurity was not taken seriously, have chosen not to fix problems sent their way.