PDF The NSA has revealed for the first time in public how it handles and reports critical unpatched security flaws its snoopers discover in software.

It is generally accepted the US taxpayer-funded spy agency has a private stash of exploitable programming blunders that it uses to infect and monitor its intelligence targets' computers and phones.

Alerting app makers and IT giants to these holes, and getting them patched, could cost Uncle Sam some valuable information. It's possible the agency tips off companies about the vulnerabilities once they've been successfully used against a target. The tech security world has been pressing to get some insight into the US government's zero-day policy.

On Friday, we found out thanks to a successful Freedom of Information Act request from the Electronic Frontier Foundation (EFF).

The obtained NSA document [full PDF] issued by the ████████ ███████████████████ ████ ███████ ████████████████ advises government agencies on how to handle and report vulnerabilities in software used by agencies or the contracting companies they work with.

The dossier, marked secret, explains how agencies can accomplish the US Department of Homeland Security-mandated cybersecurity task of ██████████████ █████████████ ███████ within the Joint Plan for the Coordination and Application of ███████ ███████ █████████████ ████ ███████████.

Among the processes explained is the government's Vulnerability Equities Process (VEP), a bunch of rules that covers ███████████████ ████████ █████████████ ██████ █████████████████████ when ████████████████ ██████ ███████ █████ ███████ and ████████ ██████ ███████ with ███████████ ██████████████████████ █████████ ████████████ ████████████ ████████ ██████████.

The document – some parts marked as US-only, others for America's Five Eyes partners – also says that government agencies and contractors should not immediately take their vulnerability discoveries to vendors, but instead notify █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ███████████████ █████ ████ ██████ and consider the risks for ███████ ███████████ ███ and ████ █████████████████.

Crucially, ████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████████████ ██████ █████████████ ████████ ███ ██ █████ ████.

Meanwhile, flaws in NSA-certified hardware, software, and encryption algorithms should be reported to the NSA, which will handle things from there.

Infosec bods were quick to share their thoughts on the newly unearthed government policies.

I got all excited about the release of docs re: the US gov's vulnerability disclosure rules. And then I read them. pic.twitter.com/W5MKtwrJMc — Christopher Soghoian (@csoghoian) September 4, 2015

EFF staff attorney Andrew Crocker noted that in-between discussing ███████ █████████ ████████████ █████████████████ ██████ and explaining ████████████ ████████ ███████████████, the document does provide some interesting clues on government security policy in regards to security vulnerabilities.

"If the government chooses to keep a vulnerability secret for intelligence purposes, for example, it does not notify the developer, which would likely otherwise issue a patch and protect users from online adversaries such as identity thieves or foreign governments who may also be aware of the zero-day," Crocker wrote.

"That’s why the US government’s written policy on what to do with zero-days is so important."

There is no word on whether further reports on the NSA's █████████ ██████████████ █████████████████████ ██████████ will be forthcoming.

Agency spokesperson ████████████ ███████████████ told El Reg: "███████ ████ █████████████ ████████ █████████████████████████ █████████ ████████████ ██████. ████ ██████████████████████████████ ████████ ████ ██████.████ █████████ █████ ███████ ██████." ®