Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

RAND obtained a dataset of information about zero-day software exploits through a research connection. It is a rich dataset, as some of these exploits have been found by others and some have not. The dataset spans 14 years (2002–2016) and contains information about more than 200 zero-day exploits and the vulnerabilities that they take
advantage of, over half of which are unknown to the public. The data we received had a final count of 207 exploits, after approximately 20–30 were removed due to operational sensitivity.


Table of Contents:


Little Is Known About the Extent, Use, Benefit, or Harm of Zero-Day Exploits

Should the U.S. Government Disclose Zero-Day Vulnerabilities?

There Are Many Considerations at Stakeholders Want Addressed

Research Questions and the Purpose of is Research. .

Intended Audience for is Research.

Breaking Down the Zero-Day Space

Data for is Research

Methodology of Research and Data

Organization of this Report

More Discussion of Zero-Day Vulnerabilities

Nature of Zero-Day Vulnerabilities.

Exploit Development Basics and Considerations

Exploit Development Cycle

People in the Zero-Day Vulnerability Space

Business Models

Analysis of the

  1. Life Status: Is the Vulnerability Really a Zero-Day? Is It Alive (Publicly Unknown) or Dead (Known to Others)?
  2. Longevity: How Long Will the Vulnerability Remain Undiscovered and Undisclosed to the Public
  3. Collision Rate: What Is the Likelihood at Others Will Discover and Disclose the Vulnerability?
  4. Cost: What Is the Cost to Develop an Exploit for the Vulnerability?

Conclusions and Implications

Finding #1: Declaring a vulnerability as alive (publicly unknown) or dead (publicly known) may be misleading and too simplistic

Finding #2: Exploits have an average life expectancy of 6.9 years after initial discovery; but roughly 25 percent of exploits will not survive for more than a year and a half, and another 25 percent will survive more than 9.5 years

Finding #3: No characteristics of a vulnerability indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and various groupings of exploit class type

Finding #4: For a given stockpile of zero-day vulnerabilities, after a year approximately 5.7 percent have been discovered and disclosed by others

Finding #5: Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days

Other Recommendations for Defense

Other Recommendations for Offense

Are Zero-Day Vulnerabilities Even at Big of a Deal?.

To Stockpile or Not to Stockpile?

Some Caveats About Our Data

Follow-On Research




Ablon, L., & Bogart, A. (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Rand Corporation.