U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, First-Ever Report

Original Article ↗ Hacker News Discussion ↗

Scope of the report & politics

  • Several commenters stress the report only covers vulnerabilities that went through the Vulnerabilities Equities Process (VEP) and were chosen for disclosure; it says nothing about the total number found or weaponized.
  • Some argue 39 likely represents cases where adversaries already knew or where disclosure hurt adversaries more than it hurt the U.S.
  • Others highlight recent and likely future political shifts: membership changes on the Cyber Safety Review Board, and the subsequent firing of its members, as evidence the current transparency may be short‑lived.

Hoarding vs disclosure

  • One camp sees disclosure as “removing cannons from both sides,” making everyone safer and reducing adversaries’ toolsets.
  • The opposing view: intelligence and law‑enforcement need exploit stockpiles; they should hold zero‑days until an exploit is “burned.”
  • Counter‑arguments note you can’t truly “hoard” a vulnerability, only delay others’ discovery, and that leaks like Shadow Brokers show stockpiling can backfire catastrophically.

NOBUS, VEP, and government purpose

  • NOBUS (“nobody but us”) is widely criticized as dangerous: knowingly leaving citizens exposed is seen as governmental failure.
  • Others argue the primary purpose of government is power preservation, not citizen safety, so retaining offensive capability is rational.
  • There’s disagreement over NSA’s charter: some see it as intrinsically offensive (breaking foreign codes), others as mixed offense/defense with strong potential to improve domestic security.
  • Commenters familiar with VEP emphasize its premise: assume others can find the same bugs; default should be disclose unless there’s a strong offensive need.

International norms & game theory

  • Multiple comments frame this as a prisoner’s‑dilemma / security‑dilemma: if the U.S. discloses and rivals don’t, rivals gain a net advantage.
  • Some say virtually all major states hoard zero‑days, making this an international norm rather than a uniquely U.S. problem.
  • Others reject “everyone does it” as a moral defense and insist it remains harmful even if widespread.

Exploit markets & incentives

  • People describe invite‑only exploit markets where high‑end chains sell for millions, with governments as primary buyers.
  • Manufacturers usually can’t or won’t match nation‑state prices, so researchers are pushed toward offensive buyers.
  • There’s speculation about insiders planting bugs to later sell, but others note there’s little evidence and that discovery is only a small part of the value; building and maintaining reliable chains is the hard part.

Societal safety, software quality & policy ideas

  • Several argue the real issue is poor baseline software quality and weak accountability; “penetrate and patch” fixes individual bugs but not systemic process failures.
  • Proposed ideas include:
    • Stronger certification / process requirements (e.g., akin to safety standards), at least for government‑procured software.
    • Treating high‑impact exploits as regulated weapons, though others call that unrealistic and hyperbolic.
    • Insurance‑style schemes where vendors pay into a fund that both compensates victims and buys/discloses vulnerabilities.
  • There’s pessimism that current disclosure levels mark any lasting “turning point”; many expect offensive zero‑day use to continue or expand.