"To us, the joint projects we do with partners, including Google, are extensions of our internal security review and code hardening," said Arkin in an interview last Friday, echoing a statement the company made at the time.

Because it does not consider those flaws publicly known, Adobe does not assign them a (Common Vulnerabilities and Exposures) designation, Arkin said. When it issued the Flash Player update and , it listed just 13 CVEs; on Friday it added one more to account for those reported by Ormandy and Google.

"This update resolves multiple memory corruption vulnerabilities that could lead to code execution," Adobe stated in the new entry for CVE-2011-2424.

Normally, Adobe doesn't reveal a number associated with vulnerabilities it or its partners have found, and that have been patched. But Arkin acknowledged that it needed to do exactly that this time.

"With every release [of Flash Player] we do a lot of code hardening, but because there's been public discussion, this internal topic has become external," Arkin said.