You’d think armed forces and other agencies of government ought to be in the business of protecting their citizens. It seems like that ought to be the point. They keep telling us that’s the point when they ask for more money and power.
That’s one of the reasons it’s so frustrating when security services try to sabotage encryption or actively distribute malware onto the machines of citizens, guilty or otherwise; It’s the exact opposite of protection.
The US Navy will pay for your zero day bug reports so it can exploit them as a potential weapon. A zero day bug is one nobody knows about, so no fix exists. They’re the most valuable kind of bug to an attacker. An attacker such as the US Navy.
Not that the navy (necessarily) wants to attack American citizens. It wants to attack people in other countries that use the same software. But it wants to do this by deliberately keeping American citizens vulnerable to the same attacks by other countries, rather than making the internet more secure for everyone.
As Cory Doctorow puts it, here:
The Navy, therefore, is seeking to secure America by ensuring that the "widely used and relied upon commercial software" that Americans depend on remains unpatched and vulnerable, so that it can attack its enemies, who use the same software, and they're conveniently ignoring the fact that their enemies can use those same bugs the Navy wants to hoard to attack American individuals, governments and companies.
The EFF are on the case. The Navy took down the solicitation after Dave Maas tweeted about it, but they (EFF) saved it here. They’re also suing the US government to disclose the process by which they decide whether to disclose information they have about vulnerabilities to the vendors of that software. It seems unlikely that the Navy would spend big money soliciting bugs if they are routinely reported to the vendors, so the decision process seems like something we all really need to know about.
The EFF’s article about it is here.