According to a contract newly released in response to a Freedom of Information request, last year the NSA purchased a 12-month subscription to a “binary analysis and exploits service” sold by Vupen, a zero-day Exploit Seller based in France.
VUPEN is one of a handful of companies that sell software exploits and vulnerability details, who do original vulnerability research and develop exploits for bugs that they find.
They Sold those exploits to the Governments and Law enforcement agencies. VUPEN has promised that the company only will sell its services to NATO countries and will not deal with oppressive regimes.
It is unclear how much money the NSA spent on the Vupen exploits package because the cost has been redacted in the released contract.
Last year, Vupen researchers successfully cracked Google’s Chrome browser, but declined to show developers how they did so even for an impressive cash bounty. “We wouldn’t share this with Google for even $1 million,” Vupen CEO Chaouki Bekrar told at that time.
Vupen has previously drawn criticism from security experts, as well as privacy advocates such as Soghoian, who delivered a presentation about the exploit vulnerability marketplace at the recent Virus Bulletin conference and characterized the firm as being a “zero-day cyber weapon merchant.”
These flaws can then be exploited to gain access to a system and its information, or the vulnerabilities can be sold on the black market, where Vupen is doing something similar by not helping the vendors.
Because even Vupen sold their services to the NSA defensive reasons, but we all are now aware with the offensive hacking operations of NSA and other Law enforcement agencies.