That is not a very good summary of Endgame or VUPEN.

Cool, what's a better summary?

Edit: Thank you for the feedback.

That doesn't matter, people will up or down vote. It was, indeed a question loaded with my preexisting bias, but also a genuine question.

VUPEN and Endgame are companies that employ people to do vulnerability research and develop exploits.

They sell a subscription service that provides access to a catalogue of their exploits to Government groups (law enforcement and intelligence agencies mostly). Depending on the company the list of acceptable clients will vary, some of these firms sell only to the federal agencies of 5-Eyes nations, others will sell more broadly than that, some may only sell to ${Local SIGINT agency}.

Government groups might do any number of things with these exploits but typically law enforcement will use them to execute warrants to help in their surveillance of suspects. Intelligence agencies may use them in the same way (pursuant to their authorizations). Other customers might somehow try and defend friendly networks with the information but this doesn't work.

I'm not sure what in particular tptacek objected to but my guess is characterizing them as part of the Government. The Government isn't keeping any secrets here (except for the ones they're presumably contractually obligated to keep by Endgame / VUPEN / etc) and the vulnerabilities have been discovered before the Government has contracted with the supplier.

Sounds like part of my summary's issue was grammar/word choice. I definitely understand the problem now and will be more careful.

New summary: The governments (plural) hire these companies (as opposed to "guys") and may, but don't always, keep these software vulnerabilities secret in order to collect information on people/targets. This is sometimes done with a warrant and in other times is done without the need.

I don't see how the governments and these companies aren't keeping the vulnerabilities in the software we rely on secret, I need more convincing.

I really appreciate you taking the time to flesh it out with me, even though it's unlikely we'd end up agreeing (just from hints in the tone we're using), I'm glad it won't just be over poor writing on my part. Thanks!

Yes, the vulnerabilities are kept secret. The value of an exploit decreases significantly after the vulnerability is patched, and they are in the business of selling high value exploits. If they couldn't sell the exploits, they wouldn't be finding the vulnerabilities either. Banning exploit sales won't suddenly result in VUPEN turning into a vuln finding charity.

For whatever it's worth, zeroday exploits are rare in practice. The vast majority of exploited systems are taken down with public vulns because they weren't patched in time. Very few organizations are interested in specific targets; carpet bombing the internet and searching for unpatched shellshock/drupal/etc installations will collect enough low hanging fruit.

If the NSA buys an exploit in Windows, does the NSA's contract preclude VUPEN from selling that exploit to Microsoft?

Presumably. If you're paying for an unpatched vuln, you don't want to get a patched vuln.

Yes: the VUPENs of the world aren't exfiltrating vulnerabilities from NSA. These aren't government secrets being leaked to private sector companies. There's probably more wrong with the summary than that, but I stopped there.

Guys was referring to the companies. "Ours" meaning private businesses and individuals.

I'm sorry if my comment implied "vulnerabilities from the NSA" these are vulnerabilities in everything else, being sold to the NSA, then kept secret by the NSA from the people they are supposed to be protecting.

If I accidentally left a door open on my house and a police officer that knew who I was saw my house left wide open, I'd hope a) he'd let me know or b) not do anything. I hope he wouldn't just go inside and take pictures of my private affairs for using against me later when it's convenient.

This is opposed from him seeing the door with indications of a break in, that'd be different, but again, I'd hope he doesn't go in.

This isn't out of fear of illegal activities being discovered (I have none, I'm boring), instead it's from the fear of someone using their position of power to take advantage of me for personal or professional, or the protection/enforcement of political ideologies.