|
|
|
|
|
|
by mtgx
3901 days ago
|
|
|
Maybe it's not really about auditing it, as it is about finding their own flaws to exploit. In the US, it's actually worse, because Microsoft also gives NSA the zerodays it finds on a silver platter, way ahead of fixing them (not necessarily suggesting Microsoft will delay fixing them on purpose, but as we know sometimes fixing a major bug can take many months - see the whole Project Zero vs Microsoft scandal - months in which the NSA can put those bugs to "good use"). http://arstechnica.com/security/2013/06/nsa-gets-early-acces... Oh btw, Apple and Intel do this, too, now (Intel may have been doing it for years, but we know for a fact Apple "volunteered" to do it, too, this year at Obama's Cyber Summit). As far as we know Google has refused to do it, and hopefully it stays that way. |
|
|
Large banks for example will get information about new "zero-day" vulnerabilities from their TAM some times months before a patch is released so they could adjust accordingly.
The NSA doesn't get an exploit they are notified about the vulnerability in good faith, in some cases Microsoft and their partners will release a signature which can enabled host or network bases intrusion detection/prevention systems to mitigate the vulnerability until it's patched.
There are other initiatives by various security vendors the most prominent would be ZDI by TippingPoint (now HP) which actually buy exploits so they could make signatures for their IPS, they notify their partners but in many cases withhold the vulnerability information for upto 6 months from the vendor of the vulnerable product.