What the government didn’t reveal is how many zero days it discovered in 2023 that it kept to exploit rather than disclose. Whatever that number, it likely will increase under the Trump administration, which has vowed to ramp up government hacking operations.

In a first-of-its-kind report, the US government has revealed that it disclosed 39 zero-day software vulnerabilities to vendors or the public in 2023 for the purpose of getting the vulnerabilities patched or mitigated, as opposed to retaining them to use in hacking operations.

It’s the first time the government has revealed specific numbers about its controversial Vulnerabilities Equities Process (VEP) — the process it uses to adjudicate decisions about whether zero-day vulnerabilities it discovers should be kept secret so law enforcement, intelligence agencies, and the military can exploit them in hacking operations or be disclosed to vendors to fix them. Zero-day vulnerabilities are security holes in software that are unknown to the software maker and are therefore unpatched at the time of discovery, making systems that use the software at risk of being hacked by anyone who discovers the flaw.

In the past, the government has said that it discloses more than 90 percent of the vulnerabilities that go through its VEP review, but without providing specific numbers for context. This has made it difficult for the public to assess the size of the government’s zero-day stockpile and whether the equities process favors disclosure over exploitation, as the government claims. It’s not clear that the single-page unclassified document, released quietly last month by the Office of the Director of National Intelligence, helps with this assessment.

The document doesn’t say how many vulnerabilities in total went through VEP adjudication in 2023, or how many the government kept secret that year. It only says that of the 39 vulnerabilities disclosed, ten of these had been through the adjudication process before — meaning that members of the VEP review board had voted to keep them secret in a previous year or years, before deciding in 2023 to disclose them. Under the VEP policy, once the board makes a decision about a zero day, the decision stands until the board revisits it the following year or the government learns that criminal hackers or nation-state adversaries are exploiting the flaw.

Katie Moussouris, founder and CEO of Luta Security and former advisor to the government’s now-disbanded Cyber Safety Review Board, says that since one of the factors guiding VEP decisions is whether the vulnerability poses a risk to U.S. critical infrastructure or the general public, this means that every other time they had been resubmitted to the VEP “the answer must have been that the risk [hadn’t] increased enough for us to stop using” the vulnerabilities.

What changed the calculus in 2023 isn’t clear. But if the government discovered that other parties were exploiting the vulnerabilities, this would be good information for the public to have, since it could help gauge the “collision rate” of government zero days — collision rate refers to the likelihood that a zero day discovered by one entity will be discovered by others in the same timeframe. A low or high collision rate could impact the risk assessment for whether government zero days should be disclosed or not.

The document doesn’t say how many years the government withheld the ten vulnerabilities before disclosing them in 2023. But a 2017 RAND study found that in the case of one set of vulnerabilities made available to the U.S. government by a third-party seller, the vulnerabilities generally lasted seven or more years before someone disclosed the vulnerability to the software maker to be patched, or the software maker unwittingly eliminated the vulnerability when it released a new version of the program. A similar timeframe may be true for the government’s zero days, suggesting that agencies may be using some of them for years before they’re no longer usef