U.S. Navy Wants To Enhance Its Cyberattack Arsenal By Purchasing Zero-Day Exploits
Dave Maass, a researcher for the Electronic Frontier Foundation, stumbled upon the zero-day request on FedBizOpps, a site that government agencies use to post contracting requests. On the site, the U.S. Navy posted a listing saying that the government was looking for "access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software.”
The listing called out Microsoft, Adobe, Android, Apple, "and all others," adding that "the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old)... The government will select from the supplied list and direct development of exploit binaries."
It's a bit odd that the Navy would post such a request on a public site, though once Maass brought attention to it through a Twitter post, the Navy removed the listing.
Nevertheless, knowledge that the government agencies seek out and use vulnerabilities against foreign threats isn't new. The government has been known to purchase exploits from outside vendors, which are sometimes used for offensive purposes. This is to the chagrin of the EFF, which feels that the government should make more of an effort to disclose vulnerabilities to the developer.