The WikiLeaks saga continues. The non-profit previously promised to collaborate with tech companies to address the exploits in the CIA Vault 7 data dump. However, nothing of the sorts has been done so far.
There were multiple indicators within the leaked documents that the CIA deployed zero-day vulnerabilities in platforms like Android and iOS, Windows, Mac and Linux. Due to these discoveries WikiLeaks witnessed pressure as it didn’t approach the affected tech companies before going public. Apparently, WikiLeaks hasn’t shared any data with the companies, as revealed by Motherboard.
In order for WikiLeaks to reach out to the affected tech companies, certain demands have to be met. One such demand is a requirement to release security patches within 90 days. Unfortunately, this period may or may not work with these vulnerabilities, depending on their severity. In addition, most companies would not agree to something without first obtaining more information on the nature of the flaws.
Furthermore, the companies would not really want to write patches based on WikiLeaks’ information as they are uncertain about the origins of this information. As Motherboard puts it:
The companies, however, are not sure what to do next because the vulnerabilities come from highly-classified documents (which may have been illegally obtained), as well as the suspicion that, perhaps, these documents and hacking tools were leaked to WikiLeaks by the Russian government.
An undisclosed source has told Motherboard that “WikiLeaks and the government hold all the cards here, there’s not much the tech companies can do on their own”, stressing on the severity of the whole situation.
What does WikiLeaks say? Not surprisingly, the non-profit’s reaction is opposite to everyone else’s. They believe that tech companies are not really interested in dealing with the patches as they are in fact working together with the US government and the CIA. This collaboration would actually prevent them from addressing the exploits as they would usually do.