This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

NSA sought services of French security firm, zero-day seller Vupen

Share this article:

The National Security Agency (NSA), which is already under scrutiny for circumventing widely used encryption methods for online data, obtained services from a French firm known for selling zero-day exploits.

On Tuesday, MuckRock published the evidence: a year-long contract between NSA and security company Vupen.

Self-described as a public records service that files Freedom of Information Act (FOIA) requests, MuckRock brought attention to key details in the FOIA-obtained contract. Namely, the NSA purchased a 12-month subscription for a 'binary analysis and exploits service' from Vupen.

The contract was signed on 14th September 2012, but specific information, such as the cost of the services offered to the NSA, was redacted.  

Soon after news of NSA's dealings with Vupen became public, Vupen's CEO and head of research Chaouki Bekrar eventually took to Twitter saying the company would no longer reply to media inquiries about the NSA contract.

The revelations incited public criticism, particularly as other details about NSA's mission to undermine encryption of online communications was revealed weeks ago.  

Earlier this month, The Guardian, The New York Times and ProPublica collaborated to shed light on the fact that the NSA pressured technology companies into giving the agency backdoor access to encryption software and, in some cases, outright stole company encryption keys by hacking organisations' servers, according to documents leaked by whistle-blower Edward Snowden.

Furthermore, The Washington Post highlighted NSA's intense interest in the exploit market in August, bringing forth the agency's budget for zero-day purchases. NSA spent more than $25 million this year to obtain information on software vulnerabilities discovered by private firms, the paper revealed.

UPDATE: In an email sent to on Wednesday evening, Vupen's CEO Bekrar addressed the recent findings on its contract.

"Vupen has been advertising and selling its private vulnerability research and intelligence for years and there is no real news here since we have always been transparent about the fact that we work with major government agencies to help them defend their infrastructures and citizens against cyber-world and real-world threats," Bekrar wrote. "Many of these agencies work with various local and foreign exploit providers to get the largest coverage and protection possible against software and hardware vulnerabilities."

Bekrar also added that its binary analysis and exploits service allows customers to "protect their systems against sophisticated attacks".

Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, told that there was no way to tell whether the NSA would use zero-day information for defensive or offensive measures.

"They may use it for their tailored operations, and given the revelations about their activities, we can't be certain that the NSA will use [the information] within the bounds of the Constitution," Opsahl said. 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...