|Submitted||Nov. 8, 2015|
MuckRock users can file, duplicate, track, and share public records requests like this one. Learn more.
To Whom It May Concern:
This is a request under the Freedom of Information Act. I hereby request the following records:
Disclosure timeline and decision making rationale for disclosure of vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel Could Allow Remote Code Execution (2992611)" to Microsoft Corporation as part of the Vulnerabilities Equities Process. Please include timeline for initial discovery with source of discovery, first operational use, and finally, date for vendor notification.
The requested documents will be made available to the general public, and this request is not being made for commercial purposes.
In the event that fees cannot be waived, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM, DVD-R, or BD-R if not.
Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 20 business days, as the statute requires.
An acknowledgement letter, stating the request is being processed.
The request has been rejected, with the agency stating that it can neither confirm nor deny the existence of the requested documents.
I reject and demand appeal of your rejection of this request.
First and foremost, please recognize that the GSF Explorer, formerly USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response is so named, was a purely military operation, using custom-built military equipment, on an exceptionally sensitive military mission to recover military equipment. Observe that the "Vulnerabilities Equities Process" is a public outreach activity communicating with third party partners, acting in the public interest regarding software used by public citizens and business alike - a scenario at opposite ends and means from which this denial blindly overreaches.
Second, observe that existing precedent supports the release of materials responsive to this request. In American Civil Liberties Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the courts have affirmed the public interest as compelling argument for favoring the public interest against clearly military efforts. The Glomar denial should be well targeted; this targeted falls well outside of the the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike.
Third, consider that it is a well established technique in the information security industry to identify the origin and nature of a defect discovery and disclosure timeline. This information is used for myriad of secondary research, analysis, and automation efforts spanning numerous industries. The utility of of disclosure timeline information and context has decades of rich support and strong evidence of public interest benefit, particularly regarding long reported and fixed defects, such as this one, which has patches available for over a year.
Fourth, observe that every hour of expert opinion coupled with legal review amounts to a non-trivial expenditure of hours which are a sunk, throw away cost of FOIA communication. While as a taxpayer I appreciate the service of FOIA professionals such as those involved in this request, who provide tireless effort the all hundreds of millions of US citizens, my personal cost should be recognized. For this reason a deference in favor of public interest and disclosure is well supported for this request regarding the "Vulnerabilities Equities Process", which is a public outreach activity communicating with third party partners, acting in the public interest, regarding software used by public citizens and business alike.
Thank you for your time, and best regards,
A letter stating that the request appeal has been received and is being processed.
To Whom It May Concern:
Could we please get an update on this request and appeal?
Your appeal is holding its position in the Appeals backlog queue.
FOIA/PA Appeal Authority Staff
National Security Agency