This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

NSA sought services of French security firm, zero-day seller Vupen

Share this article:

The National Security Agency (NSA), which is already under scrutiny for circumventing widely used encryption methods for online data, obtained services from a French firm known for selling zero-day exploits.

On Tuesday, MuckRock published the evidence: a year-long contract between NSA and security company Vupen.

Self-described as a public records service that files Freedom of Information Act (FOIA) requests, MuckRock brought attention to key details in the FOIA-obtained contract. Namely, the NSA purchased a 12-month subscription for a 'binary analysis and exploits service' from Vupen.

The contract was signed on 14th September 2012, but specific information, such as the cost of the services offered to the NSA, was redacted.  

Soon after news of NSA's dealings with Vupen became public, Vupen's CEO and head of research Chaouki Bekrar eventually took to Twitter saying the company would no longer reply to media inquiries about the NSA contract.

The revelations incited public criticism, particularly as other details about NSA's mission to undermine encryption of online communications was revealed weeks ago.  

Earlier this month, The Guardian, The New York Times and ProPublica collaborated to shed light on the fact that the NSA pressured technology companies into giving the agency backdoor access to encryption software and, in some cases, outright stole company encryption keys by hacking organisations' servers, according to documents leaked by whistle-blower Edward Snowden.

Furthermore, The Washington Post highlighted NSA's intense interest in the exploit market in August, bringing forth the agency's budget for zero-day purchases. NSA spent more than $25 million this year to obtain information on software vulnerabilities discovered by private firms, the paper revealed.

UPDATE: In an email sent to on Wednesday evening, Vupen's CEO Bekrar addressed the recent findings on its contract.

"Vupen has been advertising and selling its private vulnerability research and intelligence for years and there is no real news here since we have always been transparent about the fact that we work with major government agencies to help them defend their infrastructures and citizens against cyber-world and real-world threats," Bekrar wrote. "Many of these agencies work with various local and foreign exploit providers to get the largest coverage and protection possible against software and hardware vulnerabilities."

Bekrar also added that its binary analysis and exploits service allows customers to "protect their systems against sophisticated attacks".

Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, told that there was no way to tell whether the NSA would use zero-day information for defensive or offensive measures.

"They may use it for their tailored operations, and given the revelations about their activities, we can't be certain that the NSA will use [the information] within the bounds of the Constitution," Opsahl said. 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...