Cheltenham-based GCHQ has said said it doesn't always tell companies if their software is vulnerable to cyber attacks.

The government's intelligence and security organisation has made its decision-making process public for the first time, on both the GCHQ and National Cyber Security Centre (NCSC) websites.

In the statement, it said it will sometimes withhold the information to protect national security.

NCSC has a team of of researchers that find flaws in different types of computer software and systems, from the most popular used by millions of people to niche technical kit.

The statement said: "We've discovered vulnerabilities and informed the vendors of every major mobile and desktop platform for over 20 years.

"This work plays an important role in helping to secure the technology which underpins our economy and the everyday lives of millions of people in the UK and abroad.

"However, we do not disclose every vulnerability we find.

"In some cases, we judge that the UK's national security interests are better served by 'retaining' knowledge of a vulnerability."

The statement says the information can be used "to gather intelligence and disrupt the activities of those who seek to do the UK harm, including terror groups, serious and organised crime gangs, and malign states".

If there is an intelligence purpose it has to be in a current case or one in the near future, and it is kept under review.

The statement said that it encourages businesses to look after their own systems: "The vast majority of cyber-attacks exploit known vulnerabilities which is why we encourage organisations and citizens to keep their systems patched. Before any vulnerability is made public, we ensure that a fix is available so that everyone can follow best practice by patching it and removing the weakness.

"When this happens, the companies involved sometimes publicly credit us, as Microsoft did in the first quarter of 2018, when the NCSC was named as one of the top five bounty hunters.

"Nice as it is to be recognised, we aren't here for the publicity. It's our job to make the UK the safest place to live and do business online. Even when (as in the vast majority of cases) no credit is given, these disclosures are an important element of that work."