RAND Report: Zero Days, Thousands of Nights The Life and Times of Zero-Day Vulnerabilities and Their Exploits

The Rand Corporation recently published an analysis of how long zero day exploits persist in software. Highlights include:

  • Zero-day exploits and their underlying vulnerabilities have a rather long average life(6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
  • No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.
  • For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.
  • Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days.
  • The cost to develop an exploit can rely on many factors, including the time to find a viable vulnerability, time to develop an exploit, the time and costs involved in testing and analysis, the time to integrate an exploit into other ongoing operations, the salaries of the researchers involved, and the likelihood of having to revisit the exploit and update it in response to code revisions.