Yeah, there's a cottage industry of security firms who sell exploits to the U.S. government directly or indirectly through big defense contractors. Many, and I personally have assumed _most_ (but without checking), are American firms.
And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.
Curious as to why you think it's a bubble. Israeli startups have had many successful exits in recent years, although mostly acquisitions, and not many big flops.
It's just my unsubstantial opinion. Too many players raising too much money in a consolidated market. Bar some notable exceptions (NSO), this herd of misguided lemmings has one way out - acquisition by Checkpoint/Imperva/SalesForce.
But maybe I'm wrong and we'll see 100 Mobileyes in the coming decade.
And, frankly, the Israeli industry has much to gain by advertising their prowess in order to bolster their IT security bone fides internationally. American firms are probably more discrete, so tabulating widely published exploits by country of origin wouldn't be a great metric to determine which country is doing the most work crafting exploits.