The point is that there would be fewer cyber attacks, both because the NSA itself would no longer be adding to the number of hacks and because the NSA would use their sizeable budget to discover and disclose vulnerabilities, presumably making all of us safer.

Their budget is sizeable but less than the annual profits of Google, Microsoft, Apple, etc. And NSA pays for tons of stuff that those corporations don't have to deal with like having thousands of linguists.

Where is the responsibility of corporations in all of this? They have a cash pile that dwarfs the entire intel budget and ought to be the FIRST entities that invest in fixing their OWN products, right?

> Where is the responsibility of corporations in all of this?

Somewhere around here :-

> "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

Sorry shareholders, you'll be getting a tiny dividend this year because we are spending a huge part of our 'profit' on backfixing all the shit we let slide said no CEO ever.

> because the NSA would use their sizeable budget to discover and disclose vulnerabilities

Right now, the process is:

1. Find a way to survey the target environment, learn what software and hardware they are running

2. Acquire vulnerabilities to exploit the known target software/hardware, either from a third-party, a contractor, or manual reverse engineering of those specific components.

3. Adapt mission specific payloads to use on the target.

4. Use for as long as needed.

5. Disclose to vendor after the purpose is served.

If the agency mission changed to be purely about discovery and reporting, that might not help the general public. If this were to happen, it seems like the focus would likely be on protection of only software/hardware in classified systems, as that is already their defensive mission. Instead of having things like EternalBlue patched we would have them open and available for a different party to discover. That seems worrisome to me, but I am really curious to know if you might have a different take on how this would work.

>wouldn't be the end of cyberattacks.

This is a strawman. No one knowledgeable is saying it would create 100% security, just that it would be a net increase in the security of our infrastructure.

The sentiment I've seen from people is "if we can just stop the NSA from doing these, our problems will go away".

What I'm saying is not to do nothing, but rather we need to have a plan for continued attacks (like how spam filters came into being) in addition to trying to get any and all vulns fixed.

Somebody could have done that right now as well, but nobody did make them so far (or used them in any significant way that people know of).

Instead of (ab)using somebody else's mistakes to your own advantage (and possibly have it backfire) you could also tell that person about their mistakes so the whole world could benefit and there would be 1 issue less in the world to worry about.

People have, in the past. The problem is that we will never remove all 0days until we stop releasing software. That's not to say we shouldn't try (to Quarrelsome's point), but eventually the stockpile today will be obsoleted by the stockpile of tomorrow. And if nation states didn't have a pile, the seedy side of the internet would, alongside trading botnets, credit card lists, etc. My point being that while noble efforts, it won't go away and we need to figure out how to deal with it.

Here's one reason such a stockpile could be used for good: say a previously unknown vuln is attacking "our" (whomever that is for you) infrastructure. The command and control has been traced back to a cluster that's vulnerable to one of the weapons in your stockpile. Now you can potentially disable it, stop it spreading, tell all of them to run an updated version of the code that essentially does nothing, etc. For all I know, this could have happened already.

work towards no zero days.