The Australian Signals Directorate (ASD) has quietly published its process for deciding when knowledge of cybersecurity vulnerabilities is kept secret.
This is the first official acknowledgement that the ASD might not disclose all of the vulnerabilities it discovers. However, knowledge of secret vulnerabilities would have always been an essential part the agency’s toolkit for offensive cyber operations.
The document Responsible Release Principles for Cyber Security Vulnerabilities was posted on the ASD’s website on Friday.
The policy stresses that the agency’s starting position for when it finds a weakness is to disclose it and work with vendors to ensure that patches are available before it is made public.