As such, while our motivating factors may never be fully obvious, there is a clear lesson from the existence of this “simultaneous discovery phenomena” (sometimes known as “bug collision”): Government security agencies should think much harder about the consequences of their weaponizing security vulnerabilities and storing such cyberweapons for long periods of time instead of reporting the bugs to parties who can fix them. Creating cyberweapons out of zero-day vulnerabilities is dangerous – the weapons may be stolen, and, even if they are not, the failure to report exploitable vulnerabilities leaves businesses, organizations, individuals, and even other areas of the government vulnerable to attack; if we believe that whatever motivated our own government’s experts to explore and find underlying bugs is likely to, on a statistically significant basis, also motivate agents of hostile nations and organized crime to explore similar paths, reporting bugs quickly is essential to preserving our national security.

In fact, I recently received a phishing email that utilized a technique for tricking people that I had recently demonstrated and reported to several vendors, as it exploits the way web browsers and social media platforms handle links. It is not just the “good guys” who experience a “simultaneous discovery phenomena;” criminals and cybersecurity pros are locked in a race, and often reach the same milestones at similar times. We must recognize this reality – and not deceive ourselves into believing that the zero days that we discover are likely known to only us.