Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:00 PM
Connect Directly

NSA Discloses 91 Percent Of Vulns It Finds, But How Quickly?

NSA says 'vast majority' of flaws it finds are reported to vendors, but keeps mum on how long it takes--offering enterprises another reason for remaining vigilant with their own internal security.

To close out Cybersecurity Awareness Month a couple of weeks ago, the publicity arm of the NSA went on record to tout the agency's rate of vulnerability disclosure, stating that it had a record of disclosing 91% of vulnerabilities that it finds through its own internal research.

Though it was meant to be a feel-good number, the fact is that some in the security industry believe that even if the rate of disclosure was 100%, it wouldn't really reflect how good a job the agency is doing in working to help the public at large deal with zero-day threats in a timely fashion.

NSA acknowledges that in the other 9% of cases, it holds back either because the vulnerability has already been discovered by the vendor in question, or because the agency chooses to use it in intelligence operations. It makes the case that these vulnerabilities offer "an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks."

However, it says that its historical record shows that it works to call attention to the flaws it finds.

"The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet," the NSA said in a statement about its disclosure policies. "In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest."

But the point that many security professionals make--including several in a Reuters report last week--is that the dimension of time is incredibly important in the world of zero-days. In other words, it doesn't matter if the NSA reports 91% of zero days if they've had enough time to be discovered elsewhere, circulate elsewhere, and serve as the vector of numerous attacks. 

"Telling us that you disclose 91% doesn't really tell us much because we don't know the timeframe between discovery and disclosure," says Tom Gorup, security operations lead at Rook Security. Gorup says that while he understands why the NSA would want to hang on to vulnerabilities for offensive tactics, it's in the country's best interest for the agency to disclose as soon as possible. "I think it's ignorant to think that you're the only one that has that zero day."

Gorup points to vulnerability peddlers like the Hacking Team as a good example of why hoarding zero-days is a bad idea. This summer's breach of the company showed just how pervasive sales of previously undisclosed vulnerabilities is to nation-states and other organizations seeking to make a buck off of them. Meanwhile, many software creators fly blind even when well-meaning security researchers want to inform them of potentially dangerous zero-day vulnerabilities. According to research out last week from HackerOne, 94% of the Fortune 2000 do not have a vulnerability disclosure program.

The point is that zero-days held by the NSA can just as easily be discovered by other actors, and every day the agency holds onto them is another day that some other parties are granted to discover and use these flaws.

For enterprises, Gorup says that the whole debate is a good lesson in vigilance.

"It's reaffirming that we always need to be vigilant. They clearly state that they're still withholding zero-day exploits for national security reasons," he says. "So that means there's a zero-day exploit that potentially resides within your network."



Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
11/10/2015 | 2:49:09 PM
Re: Other 9 percent?
Indeed, 9 percent is more than enough when you're working to create vulnerabilities beyond those.
User Rank: Ninja
11/10/2015 | 7:32:22 AM
Other 9 percent?
Since we know the NSA has no problem installing malware into the firmware of hard drives of everyone in the world, it's pretty sanctimonious to try and paint itself as a crusader for consumer interests. It's not. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.