The emergence of new technologies such as artificial intelligence, spyware, and quantum encryption, coupled with the rapidly changing IT environment, has expanded the realm of national security into cyberspace. Cyber attacks by international hacking organizations or state-sponsored groups pose serious threats to national security. Consequently, there is an urgent need to establish a legal framework capable of addressing these threats through the refinement of national cybersecurity legislation. In particular, since vulnerabilities themselves are difficult to classify as illegal—as seen with grey zone measures—there is a need for transparency in the government's use of cyber vulnerabilities and for a regulatory approach that targets malicious actors rather than specific technologies. The 'Pegasus' spyware developed by Israel's NSO Group can infiltrate personal mobile phones to collect private information and secretly activate cameras and microphones. Although this spyware has been purchased by various government agencies, there have been numerous reports of misuse, such as surveillance of human rights activists. On the other hand, once these cyber vulnerabilities are discovered, patches are actively developed to mitigate the threats. Therefore, while cyber vulnerabilities themselves cannot be the target of regulation, the mixed use of terms such as cyber vulnerabilities, zero-days, exploits, and recently, spyware, complicates regulatory approaches. This paper begins by clarifying these terms and analyzing the cyber vulnerability market, followed by a chronological review of relevant regulations in South Korea, laying the groundwork for improving the cyber vulnerability regulatory framework. Based on this, we analyzed the recent regulatory approaches in the United States, which is actively implementing cyber vulnerability regulations, to derive insights for improving our national cybersecurity regulatory system. There are various approaches to regulating zero-day related cyber vulnerability technologies, such as spyware. Rather than relying on the traditional method of enforcement by existing multilateral organizations, it may be more effective to establish and strengthen voluntary multilateral coalitions. Additionally, in addressing national cybersecurity issues, regulations related to cyber vulnerabilities should focus on regulating malicious acts and actors rather than the technology itself. Furthermore, when government agencies discover and disclose cyber vulnerabilities, the transparency of such decisions must be determined proactively.