NSA buys zero-day attack info from French firm, contract shows

The NSA pays for knowledge of so-called zero-day vulnerabilities that help it attack computer systems, a freedom-of-information request in the U.S. has shown.

The public records request service MuckRock obtained a contract with a French company called Vupen, which describes itself as “the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research.” Vupen basically seeks out flaws in software and systems, then sells its findings to governments that want to exploit those flaws.

The arrangement isn’t particularly surprising, although ThreatPost noted that it showed the NSA doesn’t just rely on its in-house security research team to find new zero-day vulnerabilities (so named because the software’s developers have no advance knowledge themselves of the flaw’s existence at the time of its exploitation).

The trade in zero-day flaws is controversial, to put it mildly. Vupen maintains that it only sells to democracies, but there are many security researchers out there who will happily sell to the highest bidder, be that a government or organized crime.

Even before the Snowden affair blew up, there were reports that the U.S. was the biggest buyer out there for these gray-market zero-days, mainly for offensive rather than defensive reasons.

In June, it also emerged that Microsoft(s msft) and some other U.S. software firms disclose vulnerabilities in their products to agencies in that country before telling their other customers – this means outfits such as the NSA can protect their own systems as soon as possible, but it also makes it easier for them to hack other people’s installations before the target knows there is a problem.