Figures and Tables
Little Is Known About the Extent, Use, Benefit, or Harm of Zero-Day Exploits
Should the U.S. Government Disclose Zero-Day Vulnerabilities?
There Are Many Considerations That Stakeholders Want Addressed
Research Questions and the Purpose of This Research
Breaking Down the Zero-Day Space
Data for This Research
Methodology of Research and Data Collection
Organization of This Report
Nature of Zero-Day Vulnerabilities
Exploit Development Basics and Considerations
People in the Zero-Day Vulnerability Space
CHAPTER THREE: Analysis of the Data
1. Life Status: Is the Vulnerability Really a Zero-Day? Is It Alive (Publicly Unknown) or Dead (Known to Others)?
2. Longevity: How Long Will the Vulnerability Remain Undiscovered and Undisclosed to the Public?
3. Collision Rate: What Is the Likelihood That Others Will Discover and Disclose the Vulnerability?
4. Cost: What Is the Cost to Develop an Exploit for the Vulnerability?
Finding #1: Declaring a vulnerability as alive (publicly unknown) or dead(publicly known) may be misleading and too simplistic
Finding #2: Exploits have an average life expectancy of 6.9 years after initial discovery; but roughly 25 percent of exploits will not survive for more than a yearand a half, and another 25 percent will survive more than 9.5 years
Finding #3: No characteristics of a vulnerability indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and various groupings of exploit class type
Finding #4: For a given stockpile of zero-day vulnerabilities, after a yearapproximately 5.7 percent have been discovered and disclosed by others
Finding #5: Once an exploitable vulnerability has been found, time to develop afully functioning exploit is relatively fast, with a median time of 22 days
Other Recommendations for Defense
Other Recommendations for Offense
To Stockpile or Not to Stockpile?
Some Caveats About Our Data
A. The Exploit Development Cycle
B. The Vulnerability Researchers: Who Looks for Vulnerabilities?
C. How Mitigations Have Affected Exploitability: Heap Versus Stack Exploitation Case Study
D. Close Collisions
E. Purchasing a Zero-Day Exploit: Some Cost and Pricing Considerations
F. Additional Figures and Tables
G. More Information About the Data