A RAND Corp study about Zero Day exploits is now available. About 200 Zero Days have been analyzed, and data has been collected on how many groups find them, or how long they stay undetected. Among the findings:
- Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
- For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.
The reports highlights the importance of things like Google’s Project Zero: Systematically testing software products of all kinds for possible weaknesses and exploitable bugs, then getting them fixed.