NSA Contracted With Zero-Day Vendor Vupen

NSA likely used French exploit service to keep tabs on the competition and run deniable cyber ops, says cyber-weapon critic.

Iris Scans: Security Technology In Action (click image for larger view)
The National Security Agency (NSA) has been a customer of France-based Vupen Security, which sells zero-day exploits.
That fact was revealed by public records service
MuckRock
, which filed a Freedom of Information Act (FOIA) request with the NSA earlier this month seeking copies of contracts with Vupen Security and any final reports generated and delivered by Vupen to the agency over the past 10 years.
In response, the NSA shared a copy of an 18-page contract for a 12-month subscription to Vupens binary analysis and exploits service, dated Sept. 14, 2012. The contract was signed by both the NSA and Vupen CEO Chaouki Bekrar. Under the FOIA Act, some types of commercial and financial information can be withheld, and the cost of the NSAs Vupen subscription was blanked out.
Bekrar -- whos also Vupens head researcher -- said via email that it was common sense that intelligence agencies would work with vulnerability sellers. People seem surprised to discover that major government agencies are acquiring Vupens vulnerability intelligence, he said. There is no news here, governments need to leverage the most detailed and advanced vulnerability research to protect their infrastructures and citizens against adversaries.
[ Want to know about NSAs decryption capabilities and what they mean for you? See
NSA Crypto Revelations: 7 Issues To Watch
. ]
Indeed, the NSAs subscription with Vupen -- which bills itself as the leading provider of defensive and offensive cyber security intelligence -- is hardly surprising, given whats known about the practice of
selling exploits to the U.S. government
, especially in the wake of Stuxnet. That malware, which was
allegedly built
by a combined U.S.-Israeli cyber-weapons program to target centrifuges at a uranium refinery in Iran, included exploits for four different zero-day -- aka previously unknown -- vulnerabilities.
Beyond crafting some future Stuxnet, why else might the NSA contract with a vulnerability seller? [The] likely reasons for NSA subscription to Vupens 0day exploits: know what capabilities other [governments] can buy, and false flag, deniable cyber ops, Christopher Soghoian, principal technologist and senior policy analyst for the ACLUs Speech, Privacy and Technology Project, said
via Twitter
. There are times when U.S. special forces use AK-47s, even though they have superior guns available, he said. Same for NSAs Vupen purchase. Deniability.
Vupens website, meanwhile, makes no secret of the fact that it works with government agencies and the intelligence community, and Bekrar emphasized that customers must meet
strict eligibility criteria,
with customers being restricted to law enforcement and intelligence agencies in countries that are members or partners of NATO, the
Australia, New Zealand, United States Security Treaty
(ANZUS) or the Association of Southeast Asian Nations (ASEAN). Customers must also meet the requirements of the U.S. governments
Know Your Customer guidance
, and not be in any country thats on a restricted or embargo list maintained by the European Union, United States or United Nations.
Bekrar also said that although the company is based in France, it has no difficulty selling exploit information to eligible foreign governments. France is one of the largest arms exporters, so why not cyber arms? he said.
Vupen has previously drawn criticism from
security experts
, as well as privacy advocates such as Soghoian, who Monday
characterized the firm
as being a zero-day cyber weapon merchant.
Why sell exploits? In fact, the vulnerability marketplace can be
worth big bucks
for bugs that can be turned into weaponized exploits. Last year, for example, the Bangkok-based vulnerability buyer and seller known as the GrugQ -- who takes a 15% commission on deals -- said that
six-figure deals are common
, and that he wont touch a vulnerability worth less than $50,000.
Vupen, however, differs from vulnerability brokers such as the GrugQ, or HPs Zero Day Initiative, which buy and sell other peoples bugs. Bekrar
said via Twitter
Tuesday that all of our research is done in-house, and that his firm doesnt buy or sell third-party exploits.
As the NSA contract suggests, business appears to be good for Vupen, which has made a name for itself by
taking top prizes
in multiple
Pwn2Own competitions
. Last month, Vupen also announced plans to expand to the United States by
opening an office in Maryland
and hiring vulnerability researchers who have clearance to handle top secret or
sensitive compartmentalized information
.
Learn more about defending your organization from cyber threats by attending the Interop conference track on
Risk Management and Security
in New York from Sept. 30 to Oct. 4.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NSA Contracted With Zero-Day Vendor Vupen