NSA Says It Discloses 91 Percent Of Zero-Day Bugs It Finds, But Does It Exploit Them First?

The National Security Agency reveals in an infographic it has pushed out on its website that it discloses 91 percent of security flaws it uncovers to U.S. technology firms, but it does not say when it exposes these vulnerabilities.

​The NSA likewise did not go into detail as to what it does prior to exposing these security exploits to developers.

​The other 9 percent of vulnerabilities, according to the NSA, were either patched by the developers before the scheduled disclosure of these bugs or are not made known to the public at all due to "national security reasons."​

The press release is seen as the NSA's action to refute allegations that it stores a large amount of information about security flaws in computer software.

Citing its sources, particularly current and former U.S. government officials, Reuters reports that the agency only reveals bugs to developers after purportedly making its own cyberattack first.

The NSA points out in its press release that the act of disclosing vulnerabilities implies it gives up the chance to gather important foreign intelligence that could prevent terrorist attacks, halt the stealing of the intellectual property of the U.S. and discover more security flaws which are possibly harmful to its networks.

"The National Security Council has an interagency process to consider when to disclose vulnerabilities," explains the NSA in its post. "The process requires the government to weigh many factors, including the importance of the information to the nation's security."

​While these decisions can be complicated, the NSA notes that the bias of the government is to responsibly yet discreetly reveal security flaws.

In 2013, former NSA contractor Edward Snowden leaked out that the agency splurged $25 million to purchase zero-day software vulnerabilities. For those who are unaware what zero days are, these are flaws which have not yet been patched by developers, opening up a possibility for exploitation.

​The perfect example of the use of zero days was Stuxnet. This attack virus was created by the agency along with an Israeli counterpart to secretly penetrate the Iranian nuclear program and eventually destroy centrifuges which were enriching uranium gas.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics