In response to a series of questions posed before his confirmation hearing in front of the Senate Armed Services Committee, National Security Agency director nominee Vice Admiral Michael Rogers said that the NSA is working with the White House to create a process to determine what to do with zero-day vulnerabilities that the agency uncovers.

In his response to the questions, posted on the Armed Services Committee’s website, Rogers acknowledged that some of those bugs are kept secret by the NSA for “purposes of foreign intelligence.” But he added that the NSA always had a process for handling information on flaws it discovers in commercial software and hardware, and more often than not, the agency discloses the vulnerabilities discovered in products to their developers or manufacturers.

The NSA has the dual role of directing cybersecurity (“information assurance”) policies for the US military and overcoming the cybersecurity of other countries’ networks for intelligence collection. So the agency has a built-in conflict of interests when it comes to dealing with zero-day security vulnerabilities discovered in commercial products. An August 2013 report by The Washington Post revealed that the agency spent $25 million in 2013 alone on “software vulnerabilities from private malware vendors.”

“The default is to disclose vulnerabilities in products and systems used by the US and its allies,” Rogers wrote in his response to the committee. “The information assurance and intelligence elements of NSA jointly participate in this process.”