Zero-day vulnerabilities and their exploits are useful in offensive operations as well as in defensive and academic settings.
RAND obtained rare access to a dataset of information about more than 200 zero-day software vulnerabilities and their exploits - many of which are still publicly unknown. We analyzed these data to provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities (longevity), the likelihood of another party discovering a vulnerability within a given time period (collision rate), and the time and costs involved in developing an exploit for a zero-day vulnerability.
The RAND study is the first publicly available research to examine vulnerabilities and their fully-functional exploits that are still currently unknown to the public. The research establishes initial baseline metrics that can augment conventional proxy examples and expert opinion, inform ongoing policy discussions, and complement current efforts to related to retention and disclosure of zero-day vulnerabilities and exploits.
This research can help inform software vendors, vulnerability researchers, and policymakers by illuminating the overlap between vulnerabilities found privately and publicly, highlighting the characteristics of these vulnerabilities, and providing a behind-the-scenes look at zero-day exploit development.