Burning 0-days makes your enemies spend more time on finding new ones - costs rise so they will go bankrupt. Cold war 2.0. It's not enough to just run grep / memcpy finder on software like 20-15 years ago.
There is no such thing as a "Nobody But Us" vulnerability. Leaving holes in systems and praying enemies won't discover them, with the hope of attacking them ourselves is extremely foolish.
I've seen the invite-only marketplaces where these exploits are sold. You can buy an exploit to compromise any piece of software or hardware that you can imagine. Many of them go for millions of dollars.
There are known exploits to get root access to every phone or laptop in the world. But researchers won't disclose these to the manufacturers when they can make millions of dollars selling them to governments. Governments won't disclose them because they want to use them to spy on their citizens and foreign adversaries.
The manufacturers prefer to fix these bugs, but aren't usually willing to pay as much as the nation states that are bidding. All they do is drive up the price. Worse, intelligence agencies like the NSA often pressure or incentivize major tech companies to keep zero-days unpatched for exploitation.
It's a really hard problem. There are a bunch of perverse incentives that are putting us all at risk.
These are just the disclosed ones. The weaponized ones (as mentioned) found or bought kept secret by the NSA, etc. such as from Zerodium (ex-VUPEN) and similar aren't counted obviously. ;)
So there was 39 vulnerabilities that affected government systems. The rest didn't so they had no need to disclose.
"What the government didn't reveal is how many zero days it discovered in 2023 that it kept to exploit rather than disclose. Whatever that number, it likely will increase under the Trump administration, which has vowed to ramp up government hacking operations."
This is a bit of a prisoner's dilemma. The world would be better off if everyone disclosed every such exploit for obvious reasons. But if government A discloses everything and government B reserves them to exploit later, then government B has a strong advantage over government A.
The only responses then are war, diplomacy, or we do it too and create yet another mutually assured destruction scenario.
War is not going to happen because the cure would be worse than the disease. The major players are all nuclear powers. Diplomacy would be ideal if there were sufficient trust and buy-in, but it seems unlikely the U.S. and Russia could get there. And with nuclear treaties there's an easy verification method since nuclear weapons are big and hard to do on the sly. It'd be hard to come up with a sufficient verification regime here.
So we're left with mutually assured cyber destruction. I'd prefer we weren't, but I don't see the alternative.
Disclosing zero-days so the vendor can patch them and declare "mission accomplished" is such a waste.
"Penetrate and Patch" is about as effective for software security as it is for bulletproof vests. If you randomly select 10 bulletproof vests for testing, shoot each 10 times and get 10 holes each, you do not patch those holes and call it good. What you learned from your verification process is that the process that lead to that bulletproof vest is incapable of consistently delivering products that meet the requirements. Only development process changes that result in passing new verification tests give any confidence of adequacy.
Absent actively, or likely actively, exploited vulnerabilitys, the government should organize vulnerabilitys by "difficulty" and announce the presence of, but not disclose the precise nature of, vulnerabilitys and demand process improvement until vulnerabilitys of that "difficulty" are not longer present as indicated by fixing all "known, but undiclosed" vulnerabilitys of that "difficulty". Only that provides initial supporting evidence that the process has improved enough to categorically prevent vulnerabilitys of that "difficulty". Anything less is just papering over defective products on the government's dime.
I think people give the US a lot of unnecessary shit. I don't think my government releases any zero days but I am sure they must have found some. Every government today probably uses zero days but it seems very few release information about them?
Simply because not enough anti-malware vendors are willing to let US government know that one of their favorite hoard of malware has lost "its edge".
So, either they form a department of viability or they lose it all.
While I don’t think we should be hoarding vulns, the idea of the government having huge budgets to find and disclose software defects is a bit strange to me. Seems like another instance of socializing bad externalities.
These are wins because if they're actually patched it takes offensive tools away from our adversaries.
the US often gets negative takes for doing what many other nations are also doing.
For example in 2018 Tencent (basically, China) withdrew from hacking competitions like pwn2own taking along with them the disclosures that proceeded.
I guess there wont be one in 2024
NOBUS is a disaster. Knowingly leaving citizens unprotected is an absolute failure of government. Having a robust policy of identifying a resolving cybersecurity faults, and holding organizations accountable for patching and remediation is necessary if we are going to survive a real cyber “war”. We are absolutely unprepared.
> What changed the calculus in 2023 isn’t clear.
Well, the calculus didn't change in 2023 if the report was only released a month or so ago. And in fact, in May 2024:
DHS, CISA Announce Membership Changes to the Cyber Safety Review Board https://www.dhs.gov/archive/news/2024/05/06/dhs-cisa-announc...
So some new people came in and decided that more public information was better.
> On January 21, 2025, it was reported that the Trump administration fired all members of the CSRB.
Ah, well, never mind then
[dead]
[flagged]
[flagged]
[flagged]
I hope this signals a turning point and lessons learned from the historic practice of hoarding exploits in the hopes they can be weaponized.
when you disclose vulnerabilities and exploits, you effectively take cannons off both sides of the metaphorical battle field. it actively makes society safer.