RAND obtained a dataset of information about zero-day software exploits through a research connection. It is a rich dataset, as some of these exploits have been found by others and some have not. The dataset spans 14 years (2002–2016) and contains information about more than 200 zero-day exploits and the vulnerabilities that they take
advantage of, over half of which are unknown to the public. The data we received had a final count of 207 exploits, after approximately 20–30 were removed due to operational sensitivity.
Table of Contents:
Little Is Known About the Extent, Use, Benefit, or Harm of Zero-Day Exploits
Should the U.S. Government Disclose Zero-Day Vulnerabilities?
There Are Many Considerations at Stakeholders Want Addressed
Research Questions and the Purpose of is Research. .
Intended Audience for is Research.
Breaking Down the Zero-Day Space
Data for is Research
Methodology of Research and Data
Organization of this Report
More Discussion of Zero-Day Vulnerabilities
Nature of Zero-Day Vulnerabilities.
Exploit Development Basics and Considerations
Exploit Development Cycle
People in the Zero-Day Vulnerability Space
Analysis of the
- Life Status: Is the Vulnerability Really a Zero-Day? Is It Alive (Publicly Unknown) or Dead (Known to Others)?
- Longevity: How Long Will the Vulnerability Remain Undiscovered and Undisclosed to the Public
- Collision Rate: What Is the Likelihood at Others Will Discover and Disclose the Vulnerability?
- Cost: What Is the Cost to Develop an Exploit for the Vulnerability?
Conclusions and Implications
Finding #1: Declaring a vulnerability as alive (publicly unknown) or dead (publicly known) may be misleading and too simplistic
Finding #2: Exploits have an average life expectancy of 6.9 years after initial discovery; but roughly 25 percent of exploits will not survive for more than a year and a half, and another 25 percent will survive more than 9.5 years
Finding #3: No characteristics of a vulnerability indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and various groupings of exploit class type
Finding #4: For a given stockpile of zero-day vulnerabilities, after a year approximately 5.7 percent have been discovered and disclosed by others
Finding #5: Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days
Other Recommendations for Defense
Other Recommendations for Offense
Are Zero-Day Vulnerabilities Even at Big of a Deal?.
To Stockpile or Not to Stockpile?
Some Caveats About Our Data
Ablon, L., & Bogart, A. (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Rand Corporation.