Risky Bulletin Episode Summary Between Two Nerds: Is 39 Vulnerabilities a Lot?
Host: risky.biz
Release Date: February 17, 2025

Introduction

In the February 17, 2025 episode of Risky Bulletin, hosts Tom Uren and Grok delve into the intricacies of the United States' Vulnerabilities Equities Process (VEP). Titled "Between Two Nerds: Is 39 Vulnerabilities a Lot?", the episode provides a comprehensive analysis of recent disclosures by the Office of the Director of National Intelligence (ODNI) regarding the number of vulnerabilities released to the public and vendors. This summary captures the essence of their discussion, highlighting key points, insights, and expert opinions.

Understanding the Vulnerabilities Equities Process (VEP)

Tom Uren initiates the conversation by explaining the VEP, a critical framework used by the National Security Agency (NSA) and other intelligence agencies to decide whether to disclose a discovered vulnerability to the public or retain it for intelligence purposes.

[00:12] B: "Is it sort of like, you know, our secret quantum computer has discovered a thing versus, you know, we were fuzzing and in 10 seconds this fell out."

Grok (B) adds that the VEP not only considers the immediate utility of a vulnerability for intelligence operations but also assesses the likelihood of the vulnerability being discovered by adversaries if kept undisclosed.

[01:35] A: "You don't want those kinds of agencies just hanging on to bugs, regardless of the potential downsides."

Both agree that having a structured VEP is beneficial to prevent agencies from hoarding vulnerabilities without accountability.

Dissecting the Numbers: 39 Vulnerabilities Disclosed

The core of the discussion revolves around the ODNI's recent report revealing that 39 vulnerabilities were disclosed in fiscal year 2023. Of these, 29 were initial submissions, and 10 were reconsiderations from previous years.

[02:49] A: "First of all, the ODNI has basically a legal obligation to produce a classified version of this report that is sent to Congress and also an unclassified appendix, which is what we get."

Grok points out the lack of historical data, noting that with only three data points (10, 29, and 39 vulnerabilities), it's challenging to discern a clear trend.

[04:06] B: "Now we have three data points so we can make a line. We've got 10, 29 and 30. So you could see that it's going up very, very sharply."

Tom expresses concern about the total number of undisclosed vulnerabilities, emphasizing that while 39 were released, the actual number held by agencies like the NSA could be in the thousands or even billions.

[04:43] A: "We don't know how many, you know, tens or hundreds or thousands of bugs that NSA just hoarded."

Comparing VEP with Public Vulnerability Reporting

The hosts compare the VEP's output with public vulnerability reporting initiatives. Grok notes that the number of vulnerabilities disclosed through the VEP is relatively low compared to public cohorts, such as the Microsoft Vulnerability Reporting Club, which reports approximately 80% more vulnerabilities.

[06:05] B: "It's basically slightly less than the output of someone in the top 10 of the Microsoft Vulnerability Reporting Club, which is pretty much 80% in Chinese."

Grok suggests that this discrepancy might be due to the focused nature of intelligence agencies in seeking out vulnerabilities that are particularly valuable for their operations, rather than the broader range pursued by public entities.

[06:40] B: "They just don't need that very bugs overall. Like, I don't think they've got huge arsenals."

Case Study: EternalBlue and Its Implications

A significant portion of the discussion centers around the infamous EternalBlue exploit, a vulnerability used by intelligence agencies for years before its public disclosure and subsequent misuse by malicious actors.

[17:21] A: "We’ve got Eternal Blue was not something that was on anyone’s radar."

Grok elaborates on how EternalBlue was a "God bug" that provided remote system access without authentication, highlighting its long-term utility for intelligence operations until it was leaked.

[16:08] B: "If it had happened any earlier, it would have been even worse."

The hosts discuss the balance between retaining such powerful vulnerabilities for intelligence purposes and the potential risks if these vulnerabilities were to remain undisclosed and unpatched.

[18:54] A: "I think that’s what we want is not to discover that there have been planet melting bugs that NSA held onto."

Effectiveness and Transparency of the VEP

Tom and Grok debate the effectiveness of the VEP in ensuring that only the most critical and hard-to-discover vulnerabilities are retained by intelligence agencies. While Grok asserts that the VEP likely works within its own criteria, he remains skeptical about the transparency and completeness of the disclosed data.

[25:46] B: "I think it would be interesting if we had 10 years of data that we could look at."

Tom emphasizes the importance of transparency, arguing that without comprehensive data, it's challenging to assess whether the VEP is functioning as intended.

[22:17] A: "So the real proof of the pudding is how that agency operates."

Despite acknowledging the partial insights provided by the current report, both hosts agree that limited data hampers a full evaluation of the VEP's efficacy.

Conclusions and Final Thoughts

The episode concludes with a consensus that while the VEP appears to have mechanisms in place to prevent agencies from indiscriminately hoarding vulnerabilities, the lack of extensive data and transparency remains a concern. Grok stresses the importance of oversight and the need for more comprehensive disclosures to truly evaluate the VEP's impact.

[26:12] B: "I think it's fair for them to... it's not a vulnerability until it becomes known to someone who's abusing it."

Tom reiterates the necessity of trusting that oversight processes are effective, yet remains cautious about the opacity surrounding the full scope of undisclosed vulnerabilities.

[26:22] A: "After having spoken about it for 20 odd minutes, it's like, ah, it's pointless."

Key Takeaways

• VEP Purpose: Balances intelligence utility against potential public harm from undisclosed vulnerabilities.
• Current Disclosure Numbers: 39 vulnerabilities disclosed in FY 2023, with 29 initial and 10 reconsidered.
• Transparency Issues: Limited historical data makes it difficult to assess VEP trends and effectiveness.
• EternalBlue Example: Highlights the risks and debates surrounding the retention and eventual disclosure of critical vulnerabilities.
• Calls for More Data: Both hosts advocate for greater transparency and more comprehensive reporting to evaluate the VEP's true impact.

Notable Quotes

• Tom Uren [00:12]: "Is it sort of like, you know, our secret quantum computer has discovered a thing versus, you know, we were fuzzing and in 10 seconds this fell out."
• Grok [04:06]: "Now we have three data points so we can make a line. We've got 10, 29 and 30. So you could see that it's going up very, very sharply."
• Tom Uren [04:43]: "We don't know how many, you know, tens or hundreds or thousands of bugs that NSA just hoarded."
• Grok [06:05]: "It's basically slightly less than the output of someone in the top 10 of the Microsoft Vulnerability Reporting Club, which is pretty much 80% in Chinese."
• Grok [17:21]: "We’ve got Eternal Blue was not something that was on anyone’s radar."
• Tom Uren [22:17]: "So the real proof of the pudding is how that agency operates."
• Grok [26:12]: "I think it's fair for them to... it's not a vulnerability until it becomes known to someone who's abusing it."

This episode of Risky Bulletin offers a thought-provoking exploration of the balance between national security and public safety in the realm of cybersecurity vulnerabilities. By dissecting the VEP and its implications, Tom Uren and Grok provide listeners with a nuanced understanding of the challenges and imperatives that shape vulnerability management at the highest levels of government.