U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, First-Ever Report
32 comments
·February 6, 2025nimbius
toomuchtodo
Governments who want power will hoard the knowledge, which is power. Other governments will share. This is perpetual tension: we collectively receive utility when good policy is active (rapid dissemination of vuln info), but we need third parties to seek these exploits out when government cannot be relied on. Very similar to the concept of journalism being the Fourth Estate imho.
(vuln mgmt in finance is a component of my day gig)
spacephysics
Most likely these vulnerabilities were known by adversaries and they decided to report these to make it more difficult for those adversaries to attack.
I’m sure the really juicy zero days they’ve discovered in-house are kept out of reports like these
axegon_
I doubt it. Historically, most government agencies around the world have had appalling security and each iteration is just as bad as the previous with a few half-assed patches on top to cover the known holes.
meowface
I might be a contrarian, but I think it makes sense for the NSA to hoard 0-days. They should disclose only after they burn them.
rozab
Great, fantastic, awesome plan.
thomastjeffery
You can't actually hoard them, though. They aren't objects, they are knowledge.
A 0-day is present in every instance of the software it can exploit.
lenerdenator
I'd be surprised if the policy continues.
Or if the people who worked at the agency are still there.
burkaman
They are not: https://techcrunch.com/2025/01/22/trump-administration-fires...
Also, not a joke, this program contains the word "equity" ("the Director of National Intelligence is required to annually report data related to the Vulnerabilities Equities Process") so it will probably be frozen or cancelled.
ggernov
Take a wild guess as to which country has the most zero-day exploits and uses them to do reprehensible things...
Oh wait - Israel
downrightmike
Probably not, trump's first term he was all for allowing ransomware. And the only reason we started seeing a strategy for mitigating was because of Biden. Since trump is all in on crypto and the fact that russia is the main beneficiary of ransomware, I highly expect cybercrime to ramp up as the current admin is positioned to benefit directly.
edm0nd
Aint no way.
All major governments hoard 0days or buy them to use for espionage. I dont see this being some kind of "turning point" and more of a feel good easy PR win for the US gov but really they are still using many 0days to spy.
davemp
While I don’t think we should be hoarding vulns, the idea of the government having huge budgets to find and disclose software defects is a bit strange to me. Seems like another instance of socializing bad externalities.
HypnoDrone
So there was 39 vulnerabilities that affected government systems. The rest didn't so they had no need to disclose.
bangaladore
Similar, but my thought is that they found out some other gov(s) know about it as well. And that it hurts others more than it hurts the US gov.
ggernov
These are wins because if they're actually patched it takes offensive tools away from our adversaries.
pentel-0_5
These are just the disclosed ones. The weaponized ones (as mentioned) found or bought kept secret by the NSA, etc. such as from Zerodium (ex-VUPEN) and similar aren't counted obviously. ;)
numbsafari
NOBUS is a disaster. Knowingly leaving citizens unprotected is an absolute failure of government. Having a robust policy of identifying a resolving cybersecurity faults, and holding organizations accountable for patching and remediation is necessary if we are going to survive a real cyber “war”. We are absolutely unprepared.
sneak
This presupposes that the purpose of government is to protect citizens.
The purpose of government is to take and maintain power and prevent any other organization from displacing them. It involves citizens only as a means to an end.
It would be a failure of government to place citizen safety over continuity of government.
null
afavour
> What changed the calculus in 2023 isn’t clear.
Well, the calculus didn't change in 2023 if the report was only released a month or so ago. And in fact, in May 2024:
DHS, CISA Announce Membership Changes to the Cyber Safety Review Board https://www.dhs.gov/archive/news/2024/05/06/dhs-cisa-announc...
So some new people came in and decided that more public information was better.
> On January 21, 2025, it was reported that the Trump administration fired all members of the CSRB.
Ah, well, never mind then
neuronexmachina
Yep. From the article:
> This lack of transparency could become a greater issue under the Trump administration, which has vowed to ramp up the government's cyber offensive operations, suggesting that the government demand for zero-day vulnerabilities may increase over the next four years. If this occurs, the government’s previous statements that the VEP favors disclosure and defense over withholding and offense may no longer be true. ...
> “The VEP and that number of 90 percent was one of the few places where the president and the White House could set the dial on how much they liked defense vs offense,” says Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs and former senior cybersecurity strategist for CISA. “[The Trump administration] could say we’re disclosing too [many vulnerabilities]. If the default [in the past] was to disclose unless there is a reason to keep, I could easily imagine the default is going to be to keep unless there is a reason to disclose.”
null
ipunchghosts
[flagged]
shermantanktop
Easy, just hire people who constantly say “thank you for your leadership sir.”
I often talk about encouraging a truthseeking culture at work, because people naturally tend to gravitate toward easy or popular ideas.
But this is more like a lie-seeking culture.
null
I hope this signals a turning point and lessons learned from the historic practice of hoarding exploits in the hopes they can be weaponized.
when you disclose vulnerabilities and exploits, you effectively take cannons off both sides of the metaphorical battle field. it actively makes society safer.