The U.S. government–particularly the National Security Agency–are often regarded as having advanced offensive cybersecurity capabilities. But that doesn’t mean that they’re above bringing in a little outside help when it’s needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN.

The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN’s services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company’s “binary analysis and exploits service”.

VUPEN is one of a handful of companies that sell software exploits and vulnerability details. The company, based in Montpellier, France, employs a number of security researchers who do original vulnerability research and develop exploits for bugs that they find. That information is then sold to governments and law enforcement agencies. VUPEN officials have said that the company only will sell its services to NATO countries and will not deal with oppressive regimes.

“We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies,” VUPEN CEO Chaouki Bekrar said in an interview last year. “We do not sell to oppressive countries.”

In the debates and conversations that have followed the flood of documents leaked by Edward Snowden about the NSA’s intelligence gathering and surveillance programs, there has been an undercurrent of discussion about the agency’s use of software exploits and malware to eavesdrop on targets. The NSA has an in-house team of security researchers and engineers who do their own vulnerability and exploit research, but the publication of the NSA-VUPEN contract shows that the agency also does business with outside zero-day merchants. Government agencies, intelligence organizations and law enforcement are among the larger buyers of software exploits and there are still a relatively small number of companies who sell these wares, although that number is growing.

Several U.S. defense contractors and small, private security companies also sell vulnerability details and exploits. VUPEN is the most visible and vocal of this group and its researchers can be found at most of the top security conferences throughout the year.

Image from Flickr photos of Jim Kelly.