Mozilla is pressing the White House to do more to prevent cyberattacks by revealing details of security vulnerabilities, in an effort to prevent another massive internet outage which last week left millions unable to access major websites and services.
The browser maker’s public policy chief Heather West said in a blog post that governments, companies and users alike “all need to work together to protect Internet security.”
West said that the government should formalize the vulnerabilities equities process (VEP), a system that reviews security flaws and ensures that, when appropriate, flaws are disclosed. In some cases, flaws aren’t disclosed because they can be useful for intelligence purposes. The FBI and NSA uses exploits for undisclosed flaws to target computers and networks as part of its foreign intelligence missions.
The drawback is that if those flaws aren’t fixed and are exploited by someone else, that could lead to a massive cyberattack.
The process that determines whether or not the government will withhold or disclose a flaw is largely secret, and details of which vulnerabilities should be disclosed isn’t known.
Mozilla said that all vulnerabilities should go through the process to ensure that they’re fixed by manufacturers. This includes Mozilla, which makes the Firefox browser, and is used by hundreds of millions of users around the world.
West said “independent oversight and transparency into the processes and procedures of the VEP must be created.”
Mozilla praised two prominent senators for their effort in asking the government to formalize its vulnerability process, arguing that a government-wide policy and the addition of a bug bounty would help prevent cyberattacks.
This isn’t the first time that Mozilla has been pushy over security vulnerabilities.
Earlier this year, the FBI admitted in a court filing that it used a previously-undisclosed flaw in the Firefox browser to target a suspected user of a child sex abuse website. The browser maker said at the time that the agency should’ve turned over details of the flaw “before it is disclosed to any other party.”