NSA purchased zero-day exploits from French security firm Vupen

NSA purchased zero-day exploits from 

French security firm Vupen

The National Security Agency bought hacking tools from a security firm, based on 

documents unearthed by a FOI request.

The bombshell media leaks that exposed the U.S. National Security Agency's surveillance 

projects were easily one of the main stories of the year -- with international and political 

repercussions -- but now a Freedom of Information request has unearthed the additional 

purchase of hacking tools.

Ex-NSA contractor Edward Snowden is wanted by the U.S. government for leaking 

confidential documents to the media which exposed the agency's surveillance techniques 

used not only on American citizens, but allegedly other countries and their residents.

While Snowden is currently living in Russia under guard and silent, revelations continue to 

surface. One of the latest reports claims that the NSA is able to access data from Apple 

iPhones, BlackBerry devices, and phones that use Google's Android operating system. In 

addition, following document leaks which suggested the NSA was accessing email records, 

a number of companies offering secure email shut down, and in their place, encrypted 

mobile phone communication applications have risen.

A fresh report, brought on by a Freedom of Information (FOI) request by government 

transparency site MuckRock, shows that the NSA purchased data on zero-day vulnerabilities 

and the software to use them from French security company Vupen.

According to the documents, the NSA signed up to a one-year "binary analysis and exploits 

service" contract offered by Vupen last September.

Vupen describes itself as "the leading provider of defensive and offensive cyber security 

intelligence and advanced vulnerability research." In other words, the security firm finds 

flaws in software and systems and then sells this data on to governments.

In addition, Vupen offers offensive security solutions, including "extremely sophisticated 

and 

government grade zero-day exploits specifically designed for critical and offensive cyber 

operations."

Zero-day vulnerabilities are security flaws in systems discovered by researchers and 

cyberattackers which have not been found or patched by the vendor. These flaws can then 

be exploited to gain access to a system and its information, or the vulnerabilities can be 

sold 

on the black market. White-hat hackers may reveal the flaw to the vendor for free or as 

part 

of a 'bug bounty' program.

The finding isn't all that surprising, considering a report released in May previously claimed 

that the United States is the world's "biggest buyer" of malware.