Wikileaks to give Apple, Microsoft and Google 90-day deadline to fix flaws found in Vault7 files Posted by Damien Biddulph on Tue 21st Mar 2017
Tech firms mull options
Wikileaks wants flaws fixed in 90-days
Wikileaks promise to give tech companies access to exploits in their systems before being made public have hit a snag after the organisation added a demand that they must be fixed within 90 days.
"We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out," said Wikileaks founder Julian Assange during a Facebook Live press conference days after the Vault7 disclosures - what is believed will be the first of many from a trove that runs to more than 750,000 documents.
But now, according to reports, when Assange finally contacted Apple, Microsoft and Google about disclosing security flaws in their operating systems before Wikileaks publishes documents in future, he made a series of demands that the companies are now mulling over.
These include a demand that the companies adhere to a 90-day deadline to deal with the vulnerabilities highlighted in the documents. If their software is not patched within that time, Wikileaks will go ahead and publish the information in its trove of leaked documents, regardless of the aggravation this may cause to the companies.
The 90-day deadline is the same that Google's own Project Zero security group provides to companies when it uncovers flaws in their software. If a company has failed to patch its software accordingly, Project Zero publishes details of the flaw whether the vendor likes it or not.
The aim is to chivvy companies into improving the quality of the software they provide, as well as making them more responsive to reports of security flaws.
While the deadline is, therefore, not uncommon, the fact the releases of the data is being used as a way to tell the tech companies how to act is likely to annoy the likes of Apple, Microsoft and Google.
Furthermore, as the information is coming from seemingly stolen classified documents, there could be uncertainty about the legal ramifications of receiving and acting on the information.
It is also worth nothing that the CIA hasn't made any moves to inform the companies themselves of the security flaws it has seemingly exploited so that they can patch their software accordingly, despite the Wikileaks disclosures effectively busting the CIA.
In addition, it is strongly suspected that Wikileaks was fed the documents - most of which would appear to be a few years old - by Russia, which would mean that it isn't just the CIA that has the knowledge of these security flaws, but also (at the least) Russia's FSB, the successor organisation to the KGB of the Soviet era.