In fact, Adobe has listed only 13 holes in Flash Player in the recent release, and failed to document others.
The discussion continued as some of Google's researchers (including Ormandy) revealed that the bugs in questions were found by fuzzing.
"The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following Adobe's initial triage. As these bugs were resolved, many were identified as duplicates that weren't caught during the initial triage," they explained.
"No analysis was performed to determine how many of the identified crashes were actually exploitable. However, each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs."
After an initial silence on the matter, Adobe decided to offer an explanation. According to Computerworld, the company admitted that Ormandy had reported some 80 bugs in Flash Player, but defended their decision of not list all the vulnerabilities in the released security bulletins by saying that it usually doesn't reveal or mention vulnerabilities found internally - by them or their partners.
Also, the question is whether all those 80 flaws would lead to an exploitable hole. As far as Adobe is concerned, only holes get a CVE number.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.