Sign in Subscribe

U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report

Kim Zetter

10 min read
U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report
Aleksandar Littlewolf / Freepik

What the government didn't reveal is how many zero days it discovered in 2023 that it kept to exploit rather than disclose. Whatever that number, it likely will increase under the Trump administration, which has vowed to ramp up government hacking operations.

In a first-of-its-kind report, the US government has revealed that it disclosed 39 zero-day software vulnerabilities to vendors or the public in 2023 for the purpose of getting the vulnerabilities patched or mitigated, as opposed to retaining them to use in hacking operations.


It’s the first time the government has revealed specific numbers about its controversial Vulnerabilities Equities Process (VEP) — the process it uses to adjudicate decisions about whether zero-day vulnerabilities it discovers should be kept secret so law enforcement, intelligence agencies, and the military can exploit them in hacking operations or be disclosed to vendors to fix them. Zero-day vulnerabilities are security holes in software that are unknown to the software maker and are therefore unpatched at the time of discovery, making systems that use the software at risk of being hacked by anyone who discovers the flaw.


In the past, the government has said that it discloses more than 90 percent of the vulnerabilities that go through its VEP review, but without providing specific numbers for context. This has made it difficult for the public to assess the size of the government’s zero-day stockpile and whether the equities process favors disclosure over exploitation, as the government claims. It’s not clear that the single-page unclassified document, released quietly last month by the Office of the Director of National Intelligence, helps with this assessment.


The document doesn’t say how many vulnerabilities in total went through VEP adjudication in 2023, or how many the government kept secret that year. It only says that of the 39 vulnerabilities disclosed, ten of these had been through the adjudication process before — meaning that members of the VEP review board had voted to keep them secret in a previous year or years, before deciding in 2023 to disclose them. Under the VEP policy, once the board makes a decision about a zero day, the decision stands until the board revisits it the following year or the government learns that criminal hackers or nation-state adversaries are exploiting the flaw.

One-page unclassified document released by the Office of the Director of National Intelligence about zero days the government disclosed in 2023.

Katie Moussouris, founder and CEO of Luta Security and former advisor to the government’s now-disbanded Cyber Safety Review Board, says that since one of the factors guiding VEP decisions is whether the vulnerability poses a risk to U.S. critical infrastructure or the general public, this means that every other time they had been resubmitted to the VEP “the answer must have been that the risk [hadn’t] increased enough for us to stop using” the vulnerabilities.


What changed the calculus in 2023 isn’t clear. But if the government discovered that other parties were exploiting the vulnerabilities, this would be good information for the public to have, since it could help gauge the “collision rate” of government zero days — collision rate refers to the likelihood that a zero day discovered by one entity will be discovered by others in the same timeframe. A low or high collision rate could impact the risk assessment for whether government zero days should be disclosed or not.


The document doesn’t say how many years the government withheld the ten vulnerabilities before disclosing them in 2023. But a 2017 RAND study found that in the case of one set of vulnerabilities made available to the U.S. government by a third-party seller, the vulnerabilities generally lasted seven or more years before someone disclosed the vulnerability to the software maker to be patched, or the software maker unwittingly eliminated the vulnerability when it released a new version of the program. A similar timeframe may be true for the government’s zero days, suggesting that agencies may be using some of them for years before they’re no longer useful.

This lack of transparency could become a greater issue under the Trump administration, which has vowed to ramp up the government's cyber offensive operations, suggesting that the government demand for zero-day vulnerabilities may increase over the next four years.

The unclassified ODNI report got little notice when it was published last month by Senator Ron Wyden (D - Oregon) after receiving it from the intelligence office as the Biden administration was coming to a close. Under the Intelligence Authorization Act, the ODNI is required to submit an annual classified report to the House and Senate intelligence committees identifying the number of vulnerabilities submitted that year for review under the VEP, the number discovered but excluded from review (the process has loopholes that allow the government to withhold some vulnerabilities from review), and the number disclosed to vendors or the public.


The ODNI is also required to include an unclassified appendix to the annual report that reveals the number of vulnerabilities disclosed for patching and the number that subsequently got patched. The unclassified appendix is supposed to be made public, and the ODNI is supposed to have produced ones going back to 2018. But so far it has only made the one for 2023 available. And even that one does not meet the full requirement because it does not indicate how many of the 39 vulnerabilities that got disclosed were subsequently patched. The ODNI says the intelligence community doesn’t collect that information and therefore can’t include it in the appendix.

2020 Amendment showing that the requirement to make the unclassified report available to the public applies retroactively to 2018 and 2019.


It’s not clear how much more information gets submitted to the intelligence committees in their classified versions of the VEP reports. But when asked if these versions provide sufficient transparency about the vulnerabilities process for the committees to provide proper oversight of the process, Wyden’s office says no.


“The public remains in the dark about how many VEP decisions are unanimous among the agencies that participate, how many involve offensive agencies outvoting defensive agencies, and how many final decisions are the result of an appeal,” a Wyden aide says. “Senator Wyden believes Americans need far more visibility into how the government decides which exploitable software vulnerabilities it discloses to companies to fix, and which it keeps secret, leaving Americans vulnerable to foreign hacks.”


This lack of transparency could become a greater issue under the Trump administration, which has vowed to ramp up the government's cyber offensive operations, suggesting that the government demand for zero-day vulnerabilities may increase over the next four years. If this occurs, the government’s previous statements that the VEP favors disclosure and defense over withholding and offense may no longer be true.

“[The Trump administration] could say we’re disclosing too [many vulnerabilities]. If the default [in the past] was to disclose unless there is a reason to keep, I could easily imagine the default is going to be to keep unless there is a reason to disclose.”


“The VEP and that number of 90 percent was one of the few places where the president and the White House could set the dial on how much they liked defense vs offense,” says Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs and former senior cybersecurity strategist for CISA. “[The Trump administration] could say we’re disclosing too [many vulnerabilities]. If the default [in the past] was to disclose unless there is a reason to keep, I could easily imagine the default is going to be to keep unless there is a reason to disclose.”

VEP Creation


The government created the VEP in 2010, producing a charter with details about how it should operate. But the VEP’s existence remained classified until 2014, when the so-called Heartbleed vulnerability was discovered. Heartbleed was a significant flaw in an OpenSSL cryptography library that web sites use to encrypt traffic between a user’s computer and an internet domain. The flaw had been in the code since 2012 but remained unknown to its developers and the public until security researchers discovered it in 2014.


Bloomberg News reported at the time that the NSA had already known about the vulnerability for at least two years and kept it secret to exploit it for intelligence collection. But the ODNI released a rare response disputing this, saying the intelligence community learned about the vulnerability only when the public did. Had the government known about it before, the ODNI insisted, it would have disclosed it to be fixed, due to the flaw’s severity. To underscore this, the ODNI revealed that the government had a formal process for deciding when to disclose or withhold vulnerabilities, and the process was weighted in favor of disclosure: “[U]nless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities,” the ODNI said.

The ODNI didn’t mention, however, that between 2010 and 2013, agencies required to follow the process failed to do so. Michael Daniel, former cybersecurity advisor to President Obama, says only the NSA was doing a review of vulnerabilities, but not in the way the VEP charter dictated.


“NSA was doing … its own review of vulnerabilities that it found,… following the policy internally, but…it wasn’t being surfaced all the way up to the National Security Council level,” he says. “[And] there wasn’t a robust process at the NSC level to really get the whole process working and all of the agencies involved.”

According to the 2010 VEP charter, the review board is composed of representatives from government entities with offensive or defensive interest in software vulnerabilities. This includes the CIA, DoJ, DHS, NSA, U.S. CyberCommand, Department of Energy, State Department and others. The board reviews vulnerabilities discovered by the U.S. government, by contractors working for the government, or by foreign partner governments that share vulnerabilities with the U.S.


When an agency discovers a zero-day, it submits a description of it to the VEP secretariat along with a recommendation about whether to disclose or withhold. The secretariat has one business day to notify all participating agencies, who have five days to say whether disclosing or withholding the vulnerability will impact their offensive or defensive operations. The agency that found the vulnerability can call on experts to argue in favor of its position, and if the agencies don't reach consensus, the members of the board vote.


If the decision is to disclose, the agency that discovered the zero day has seven business days to do this. If the decision is to withhold, the board will revisit the decision annually until it eventually decides to disclose the vulnerability, or the vulnerability otherwise becomes publicly known or patched. If the government becomes aware in the meantime that the zero day is being exploited by criminal hackers or foreign adversaries, they must notify the executive secretariat, and members have one business day to determine if the vulnerability should be disclosed for patching.


The board can also decide to disseminate information about a vulnerability just to select entities, limit how the government can exploit the vulnerability, or use “indirect means” to let a vendor know about the vulnerability. The document does not elaborate on what the latter means.


Not every vulnerability undergoes a VEP review. Vulnerabilities that government agencies purchase from a seller under a non-disclosure agreement are exempt from VEP review. A seller would require an NDA if the sale isn’t exclusive and it wants to sell the zero day to other customers. Zero days obtained from a foreign government agency under a memo of understanding are also exempt from VEP review. Zero days that are excluded from review still need to be reported to the chair of the board, and the number of vulnerabilities each agency excludes from review has to be disclosed to all members.


When the charter was made public in 2016 in response to a lawsuit, civil liberties groups expressed concern that only government agencies were allowed to participate in decision making and that there didn’t appear to be anyone representing public interests. There also didn’t appear to be independent oversight of the process outside of the member agencies. The board was supposed to produce an annual report about all the zero days that underwent review, but there was no requirement to provide it to Congress or the public.


In 2017, the government released a revised charter, making the National Security Council overseer of the process. And whereas the previous charter emphasized U.S. government interests, the revised charter says the process should prioritize the public's interest and the security of critical information and infrastructure systems as long as there is no “demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes.” In the “vast majority of cases,” it says disclosure is “in the national interest.” The requirement to provide reports to the intelligence communities for oversight came later and is the only part of the VEP that is codified. This means that as long as the process remains just policy and not law, the sitting administration can change it, though they are required to notify the intelligence communities if they do.


One important piece of information about the process that is still unknown and that troubles Moussouris is how the review board makes its risk assessments about whether a zero day should be disclosed. Moussouris, who previously was lead senior security strategist at Microsoft, says there’s no reliable formula for doing this, and even Microsoft finds it difficult to accurately gauge the risk posed by many vulnerabilities. The company might know how many of its direct customers are using a piece of vulnerable code, but it’s very difficult to gauge how many resellers and others have embedded the vulnerable code in critical infrastructure components, medical devices, banking machines and other systems.


“If even the vendors themselves would have a hard time gauging relative risk, how is the federal government supposed to asses that risk?” she says.

Updated 12pm: To clarify when Moussouris was part of the government's CSRB.

Thank you for reading. If you like this content and want to receive more like it in your inbox, become a subscriber. Zero Day is a reader-supported publication. You can support my work by becoming a paid subscriber and receiving content that is only available to paid subscribers or you can subscribe for free.