In an unprecedented disclosure, the U.S. government revealed it shared information about 39 zero-day software vulnerabilities with vendors and the public during 2023, according to a groundbreaking report from the Office of the Director of National Intelligence (ODNI).
This marks the first time specific numbers have been released about the government's Vulnerabilities Equities Process (VEP), which determines whether discovered security flaws should be disclosed for patching or retained for intelligence and law enforcement operations.
Of the 39 vulnerabilities disclosed, ten had previously been kept secret through earlier VEP reviews before the decision was made to release them in 2023. The report does not specify how many total vulnerabilities went through VEP review or were retained.
The disclosure comes as part of new reporting requirements under the Intelligence Authorization Act, which mandates the ODNI submit annual classified reports to Congress about the VEP program, along with unclassified public summaries.
Security experts note that risk to U.S. critical infrastructure and public safety are key factors in deciding whether to disclose vulnerabilities. The government has previously claimed it shares over 90% of vulnerabilities reviewed through VEP.
Katie Moussouris, CEO of Luta Security, raised questions about how the government assesses vulnerability risks, noting that even software vendors struggle to accurately gauge the full impact of security flaws across their customer base.
The release of these numbers provides a rare glimpse into the government's handling of zero-day vulnerabilities - security holes unknown to software makers that leave systems vulnerable to exploitation. However, experts say more transparency is still needed around the decision-making process.
Senator Ron Wyden's office indicated that Congress lacks sufficient visibility into how agencies vote on vulnerability disclosures and how many decisions favor offensive versus defensive interests.
As cyber operations expand, this inaugural report establishes an important baseline for public understanding of how the government balances national security interests with software security.