It takes less than a month for most zero-day exploits to be developed, and about a quarter of those previously unknown and unpatched vulnerabilities will go undiscovered and undisclosed to the vendor for an average of 9.5 years. And the odds two hackers will find the same zero day are slim.
RAND Corporation analyzed 200 zero-day vulnerabilities, 40 percent of which it says are not publicly disclosed, and published the results this week in an extensive report titled “Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and their Exploits.”
“This is a first-ever look at zero days that isn’t based on manufactured data or vulnerabilities that have already been discovered,” said Lillian Ablon, lead author of the study. “Unique to this report is access to privately known but not publicly disclosed zero day vulnerabilities.”