NSA Discloses 91 Percent Of Vulns It Finds, But How Quickly?

NSA says vast majority of flaws it finds are reported to vendors, but keeps mum on how long it takes--offering enterprises another reason for remaining vigilant with their own internal security.

To close out Cybersecurity Awareness Month a couple of weeks ago, the publicity arm of the NSA went on record to tout the agencys rate of vulnerability disclosure, stating that it had a record of disclosing 91% of vulnerabilities that it finds through its own internal research.
Though it was meant to be a feel-good number, the fact is that some in the security industry believe that even if the rate of disclosure was 100%, it wouldnt really reflect how good a job the agency is doing in working to help the public at large deal with zero-day threats in a timely fashion.
NSA acknowledges that in the other 9% of cases, it holds back either because the vulnerability has already been discovered by the vendor in question, or because the agency chooses to use it in intelligence operations. It makes the case that these vulnerabilities offer an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nations intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.
However, it says that its historical record shows that it works to call attention to the flaws it finds.
The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet, the NSA said in a statement about its disclosure policies. In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.
But the point that many security professionals make--
including several in a Reuters report last week
--is that the dimension of time is incredibly important in the world of zero-days. In other words, it doesnt matter if the NSA reports 91% of zero days if theyve had enough time to be discovered elsewhere, circulate elsewhere, and serve as the vector of numerous attacks.
Telling us that you disclose 91% doesnt really tell us much because we dont know the timeframe between discovery and disclosure, says Tom Gorup, security operations lead at Rook Security. Gorup says that while he understands why the NSA would want to hang on to vulnerabilities for offensive tactics, its in the countrys best interest for the agency to disclose as soon as possible. I think its ignorant to think that youre the only one that has that zero day.
Gorup points to vulnerability peddlers like the Hacking Team as a good example of why hoarding zero-days is a bad idea.
This summers breach of the company
showed just
how pervasive sales of previously undisclosed vulnerabilities
is to nation-states and other organizations seeking to make a buck off of them. Meanwhile, many software creators fly blind even when well-meaning security researchers want to inform them of potentially dangerous zero-day vulnerabilities. According to
research out last week from HackerOne
, 94% of the Fortune 2000 do not have a vulnerability disclosure program.
The point is that zero-days held by the NSA can just as easily be discovered by other actors, and every day the agency holds onto them is another day that some other parties are granted to discover and use these flaws.
For enterprises, Gorup says that the whole debate is a good lesson in vigilance.
Its reaffirming that we always need to be vigilant. They clearly state that theyre still withholding zero-day exploits for national security reasons, he says. So that means theres a zero-day exploit that potentially resides within your network.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps