NPR : News

NSA Denies It Knew About Heartbleed Bug Before It Was Made Public

The National Security Agency says it did not know about a critical security bug until it became public earlier this month.

The NSA was responding to a report from Bloomberg that the agency had known about the vulnerability known as "Heartbleed" for two years and instead of alerting the tech community, it exploited the bug to "gather critical intelligence."

Just to catch you up: The Heartbleed bug has led tech experts to call on Internet users worldwide to change the passwords they use on popular and sensitive sites, like that of their bank or email provider. As NPR's Jeremy Bowers explained, the bug allowed an attacker to receive the encryption keys used to transmit information like your username and password. In other words, the bug allowed access to the "crown jewels."

In a statement, the NSA said Bloomberg's report was simply "wrong." The U.S., the NSA said, would reveal this kind of vulnerability to developers if it ever came upon it. The statement goes on:

"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

"When Federal agencies discover a new vulnerability in commercial and open source software – a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.

"In response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."

Copyright 2014 NPR. To see more, visit

WAMU 88.5

A Conversation With "Broad City" Co-Star Abbi Jacobson

What do Michelle Obama, Anna Wintour and Michael Jordan carry in their bags? Abbi Jacobson imagines the things you might find in her new illustrated book, "Carry This Book." We talk to the "Broad City" co-star about what you can learn from the contents of bags—and her success creating and starring in the hit Comedy Central show.

WAMU 88.5

New Approaches To Tackling Local Youth Hunger

The First Lady of Virginia Dorothy McAuliffe and other regional leaders are exploring new, innovative ways to combat local food insecurity.

WAMU 88.5

What Washington Really Thinks of the Rest of America

Kojo explores the surprising findings of a Johns Hopkins survey on what D.C.'s federal workers and unelected policy makers really think of the American public.


Social Media Company Twitter Struggles Financially

Steve Inskeep talks to Emily Bell, director for the Tow Center for Digital Journalism at the Columbia Journalism School, about the challenges Twitter faces.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.