This year alone, the NSA secretly spent more than $25 million to procure "'software vulnerabilities' from private malware vendors," according to a wide-ranging report on the NSA's offensive work by the Post's Barton Gellman and Ellen Nakashima.
Companies such as Microsoft already tell the government about gaps in their product security before issuing software updates, reportedly to give the NSA a chance to exploit those bugs first. But the NSA is also reaching into the Web's shadier crevices to procure bugs the big software vendors don't even know about — vulnerabilities that are known as "zero-days."
Just who might the NSA be paying in this covert marketplace?
One of the most famous players in the arena is Vupen, a French company that specializes in selling zero-day exploits. A 2011 brochure made public on WikiLeaks showed Vupen boasting that it could "deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by Vupen security researchers.
Expanding the team, the biz, the pwn: VUPEN to open a US office in Maryland soon. We'll be hiring researchers (TS/SCI-cleared) #CNO #CNA
— VUPEN Security (@VUPEN) August 6, 2013
WikiLeaks identified a total of nearly 100 companies participating in the electronic surveillance industry worldwide, though not all of them are involved in the sale of software vulnerabilities.
Zero-days are particularly effective weapons that can sell for up to hundreds of thousands of dollars each.
The market for these exists in a legal gray area. Beyond that, it's still unclear whether the NSA is actually drawing on black-market sources to bolster its network intrusion capabilities. But would it really surprise any of us if it were?