NSA bought zero-day vulnerabilities from security company Vupen

NSA bought one-year subscription last September, according to FOI response

The US National Security Agency (NSA) bought information about zero-day vulnerabilities from French security company Vupen, together with software required to exploit them, according to new documents released following a Freedom of Information request.

According to the documents, the US intelligence agency, which was found this summer to be vastly exceeding its authority, signed a one-year subscription to Vupen's "binary analysis and exploits services" in September.

Vupen acts as a security researcher, analysing software in-house and selling details of flaws to paying subscribers - rather than passing on the details to the software vendors that created the software.

Zero-day exploits are newly found vulnerabilities that either the software vendor does not know about, or has not patched. The documents were published on the Freedom of Information website Muckrock.

Vupen is not the only vendor in the vulnerability research end of the computer security market. A number of other companies in the US and elsewhere also buy and sell vulnerabilities in a market that has shot up in value in recent years - perhaps due to the inflationary effect of national governments purchasing flaws for their own ends.

However, it is not exactly known to what use the NSA has put the information and the exploits that it bought.