Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:00 PM
Connect Directly

NSA Discloses 91 Percent Of Vulns It Finds, But How Quickly?

NSA says 'vast majority' of flaws it finds are reported to vendors, but keeps mum on how long it takes--offering enterprises another reason for remaining vigilant with their own internal security.

To close out Cybersecurity Awareness Month a couple of weeks ago, the publicity arm of the NSA went on record to tout the agency's rate of vulnerability disclosure, stating that it had a record of disclosing 91% of vulnerabilities that it finds through its own internal research.

Though it was meant to be a feel-good number, the fact is that some in the security industry believe that even if the rate of disclosure was 100%, it wouldn't really reflect how good a job the agency is doing in working to help the public at large deal with zero-day threats in a timely fashion.

NSA acknowledges that in the other 9% of cases, it holds back either because the vulnerability has already been discovered by the vendor in question, or because the agency chooses to use it in intelligence operations. It makes the case that these vulnerabilities offer "an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

However, it says that its historical record shows that it works to call attention to the flaws it finds.

"The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet," the NSA said in a statement about its disclosure policies. "In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest."

But the point that many security professionals make--including several in a Reuters report last week--is that the dimension of time is incredibly important in the world of zero-days. In other words, it doesn't matter if the NSA reports 91% of zero days if they've had enough time to be discovered elsewhere, circulate elsewhere, and serve as the vector of numerous attacks. 

"Telling us that you disclose 91% doesn't really tell us much because we don't know the timeframe between discovery and disclosure," says Tom Gorup, security operations lead at Rook Security. Gorup says that while he understands why the NSA would want to hang on to vulnerabilities for offensive tactics, it's in the country's best interest for the agency to disclose as soon as possible. "I think it's ignorant to think that you're the only one that has that zero day."

Gorup points to vulnerability peddlers like the Hacking Team as a good example of why hoarding zero-days is a bad idea. This summer's breach of the company showed just how pervasive sales of previously undisclosed vulnerabilities is to nation-states and other organizations seeking to make a buck off of them. Meanwhile, many software creators fly blind even when well-meaning security researchers want to inform them of potentially dangerous zero-day vulnerabilities. According to research out last week from HackerOne, 94% of the Fortune 2000 do not have a vulnerability disclosure program.

The point is that zero-days held by the NSA can just as easily be discovered by other actors, and every day the agency holds onto them is another day that some other parties are granted to discover and use these flaws.

For enterprises, Gorup says that the whole debate is a good lesson in vigilance.

"It's reaffirming that we always need to be vigilant. They clearly state that they're still withholding zero-day exploits for national security reasons," he says. "So that means there's a zero-day exploit that potentially resides within your network."



Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
11/10/2015 | 2:49:09 PM
Re: Other 9 percent?
Indeed, 9 percent is more than enough when you're working to create vulnerabilities beyond those.
User Rank: Ninja
11/10/2015 | 7:32:22 AM
Other 9 percent?
Since we know the NSA has no problem installing malware into the firmware of hard drives of everyone in the world, it's pretty sanctimonious to try and paint itself as a crusader for consumer interests. It's not. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software* U...