The general feeling by the American public is that it’s probably not out of the realm of possibility for the NSA to be stockpiling unknown security vulnerabilities, and with the mysterious agency spending $25 million dollars a year on Zero Day vulnerabilities, that would seem to be the case. However, according to a researcher from Columbia University, while they may collect Zero Days, the number collected is probably in the dozens and only a few are added each year.
The information security community has long been concerned about the NSA’s dual mandate. On one hand the agency has the task of collecting intelligence on threats to the United States. This sort of cyberespionage is easier if you have knowledge of undisclosed security vulnerabilities. However, the NSA is also tasked with protecting US information security, which involves warning American companies about the same unpatched vulnerabilities.
According to an NSA report, in 2015 91% of vulnerabilities it gathered were eventually disclosed, and of those that were not, some were due to them already being patched. In the year after implementing a Zero Day disclosure policy, the White House has said about 100 vulnerabilities were discovered with only two being kept.
In all of 2015, there was only 54 Zero Days found in the wild, however these figures don’t include what may be kept by other agencies. In its feud with Apple, the FBI bought one such vulnerability in order to gain access to the San Bernardino terrorist’s iPhone. At the time, the FBI avoided disclosure by claiming it only paid for access to a tool, not to the vulnerability. Additionally, these numbers don’t include what other governments may be stockpiling, with only Great Britain allowing any sort of level of transparency about such actions.