The U.S. National Security Agency, seeking to rebut accusations that it hoards information about software vulnerabilities and leaves U.S. companies open to cyberattacks, said last week that it tells U.S. technology firms about the most serious flaws it finds more than 90 percent of the time.
The reassurances may be misleading, because the NSA often uses the vulnerabilities to make its own cyber-attacks first, according to current and former U.S. government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.
At issue is the U.S. policy on "zero day exploits," the serious software flaws that are of great value to both hackers and spies because no one knows about them. The term "zero day" comes from the amount of warning users get to patch their machines protectively; a two-day flaw is less dangerous because it emerges two days after a patch is available.