NSA Claims It Discloses 91 Percent of Security Vulnerabilities Found, Keeps Rest In Back Pocket

In the "vast majority of cases," when the U.S. government is made aware of a software vulnerability, it discloses that information to the vendor so that it can issue a patch to the public. What constitutes a "vast majority?" Nine times out of 10, or 91 percent of the time, according to the U.S. National Security Agency's own books.

What about the other 9 percent of the time? The zero-day threats the NSA doesn't disclose are those that the vendors fixed before they were notified or, simply put, don't get disclosed in the interest of national security.

Sign for Security Agencies

"The National Security Council has an interagency process to consider when to disclose vulnerabilities," the NSA said. "The process requires the government to weigh many factors, including the importance of the information to the nation's security. While these decisions can be complex, the government's bias is to responsibly and discreetly disclose vulnerabilities."

Before you snuggle up with the warm fuzzies the NSA is handing out, there are some factors to consider. One of them is the speed in which the 91 percent of vulnerabilities are disclosed. The NSA didn't mention how long it sits on known vulnerabilities before alerting vendors, though it did state that the ones it holds onto are kept hidden "for a limited time." It also said there are pros and cons to disclosing security holes.

"Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks," the NSA added.