WikiLeaks holds tech companies' feet to the fire before helping with zero days revealed in CIA leaks
The CIA's hacking tools leaked in the WikiLeaks Vault 7 disclosure revealed vulnerabilities in a range of popular software titles. Julian Assange has said that his organization will share details of the zero days revealed in the documents with the respective technology companies, but it now transpires that there are certain conditions to meet first. It’s a situation that has more than a slight air of "ransom" to it.
Microsoft has initially complained that after the initial leak there had been no contact from either WikiLeaks or the CIA, but it seems that contact has now been made with the Windows-maker and other companies. Mozilla is among those to have been contacted and to have responded, and sources suggest that Assange has attached conditions to disclosing details of vulnerabilities.
As reported by Motherboard, communications have been a little stilted so far. One source says that "beyond making the initial contact, no information has been shared," and there are hints at the sorts of demands WikiLeaks is making. Reference is made to a 90-day disclosure deadline -- presumably meaning that the companies in question must agree to fix vulnerabilities within 90 days of disclosure, although it's not clear what the consequences of failing to do so would be.
WikiLeaks itself has not given full details of exactly which companies it has heard back from, but it did tweet about the issue over the weekend:
Update on CIA #Vault7 "zero day" software vulnerabilities
— WikiLeaks (@wikileaks) March 18, 2017
There is still an element of suspicion about not only the veracity of the Vault 7 leaks, but also the source from which they came. Thus far WikiLeaks has declined to publish details of the vulnerabilities publicly. But now that conditions are being attached to disclosing them to the companies behind the software, the fear will obviously be that millions of users could be placed at risk should WikiLeaks decide to go public in the event of firms declining to play ball, or failing to meet demands.