It turns out that the US government discovered and reported 39 vulnerabilities in one year, but there is a possibility that a considerable number of them remain secret

The report revealed that the US government reported the existence of vulnerabilities to vendors or disclosed them to the public in 39 cases in 2023. However, journalist Kim Zetter points out that 'while there are 39 disclosed vulnerabilities, it is unclear how many were discovered and not reported.'

US Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report

The document begins by saying, 'Pursuant to Section 6270 of the Revised Code, the Director of National Intelligence is required to annually report data related to the Vulnerabilities Equities Process (VEP). This document satisfies that reporting requirement.'

However, I could not find this document on the official website of the Office of the Director of National Intelligence, where numerous annual reports and news releases are published. After searching, I found it on the website of Senator Ron Wyden, a Democrat, but it is unclear why the Office of the Director of National Intelligence did not post the document.

(U) FY23 VEP Annual Report Unclassified Appendix

The document then states that 'The total number of vulnerabilities disclosed to vendors or the public under the VEP in fiscal year 2023 was 39.' According to Zetter, this is the first time that the U.S. government has released figures based on the VEP.

However, the statement goes on to say that 'of the disclosures, 29 were provided for the first time and 10 were revisions of vulnerabilities from previous years,' so Zetter points out that 'it is unclear how many vulnerabilities the U.S. government has discovered in total.'

First of all, VEP is a process used by the US government to determine whether vulnerabilities discovered by law enforcement agencies, police, and the military should be kept secret so that they can be used in hacking operations, or whether they should be pointed out to vendors and fixed. Regarding vulnerabilities that the government thinks can be used, there is a possibility that information is not shared with vendors. Zetter said that in the past, there have been vulnerabilities reported to vendors more than seven years after the discovery.

The document concludes by saying, 'The total number of vulnerabilities disclosed by vendors or publicly under the VEP that have since been fixed is unknown. This information has not been collected by the intelligence community and cannot be reported.'