The U.S. government acknowledged that it uses zero-day bugs not only for espionage and intelligence gathering, but also for law enforcement. What else it uses them for is still unknown.
Last November, the government released a document titled Vulnerabilities Equities Process. This policy describes the policy, dating back to 2010, that allows agencies to decide whether to tell vendors about bugs they know about or use them as they see fit.
The document was redacted as the government claimed that confirming what everyone already knows – that they don’t always report bugs that they know about – would damage national security. Not sure how that could possibly be, but that is what they claimed.
The government has removed some of those redactions and thereby confirmed what everyone already knew – that the government uses zero-day exploits so that the FBI and other agencies can hack into U.S. citizen’s computers, hopefully with appropriate oversight – although the oversight process, if it exists, is still unknown.
The document says that there is a group within the government that reviews zero-days and decides how they will be handled and to whom they will be distributed. The NSA, not surprisingly, is in charge of this group.
Before we beat up the U.S. government too much, likely every other government on the planet does the same thing – likely with similar rules of engagement.
Still, this release of information does eliminate the question about whether “We’re from the government, we’re here to help you.”