Zero Days, Thousands of Nights

The Life and Times of Zero-Day Vulnerabilities and Their Exploits

Lillian Ablon, Andy Bogart

ResearchPublished Mar 9, 2017

Cover: Zero Days, Thousands of Nights
Order a print copy

Zero-day vulnerabilities — software vulnerabilities for which no patch or fix has been publicly released — and their exploits are useful in cyber operations — whether by criminals, militaries, or governments — as well as in defensive and academic settings.

This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly.

The authors provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (undisclosed), dead (known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities, the likelihood of another party discovering a vulnerability within a given time period, and the time and costs involved in developing an exploit for a zero-day vulnerability.

Key Findings

"Alive" Versus "Dead" Is Too Simplistic

  • Vulnerabilities that are alive (publicly unknown) are those that are actively sought out by defenders — called "living" vulnerabilities — or those that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates — called "immortal" vulnerabilities.
  • Among vulnerabilities that are dead (publicly known), many are disclosed with a security advisory or patch, but in other cases developers or vulnerability researchers post online about a vulnerability but no security advisory is issued.
  • There are still other vulnerabilities that are quasi-alive ("zombies"), because, due to code revisions, they can be exploited in older versions but not the latest version of a product.

Longevity and Discovery by Others

  • Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
  • No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.
  • For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.

Time and Costs Involved in Developing Zero-Day Exploits

  • Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days.
  • The cost to develop an exploit can rely on many factors, including the time to find a viable vulnerability, time to develop an exploit, the time and costs involved in testing and analysis, the time to integrate an exploit into other ongoing operations, the salaries of the researchers involved, and the likelihood of having to revisit the exploit and update it in response to code revisions.

Order a Print Copy

Format
Paperback
Page count
132 pages
List Price
$31.00
Buy link
Add to Cart

Topics

Document Details

  • Availability: Available
  • Year: 2017
  • Print Format: Paperback
  • Paperback Pages: 132
  • Paperback Price: $31.00
  • Paperback ISBN/EAN: 978-0-8330-9761-3
  • DOI: https://doi.org/10.7249/RR1751
  • Document Number: RR-1751-RC

Citation

RAND Style Manual
Ablon, Lillian and Andy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits, RAND Corporation, RR-1751-RC, 2017. As of October 15, 2024: https://www.rand.org/pubs/research_reports/RR1751.html
Chicago Manual of Style
Ablon, Lillian and Andy Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR1751.html. Also available in print form.
BibTeX RIS

This project is a RAND Venture. Funding for this venture was provided by philanthropic contributions from RAND supporters and income from operations. The research was conducted by the RAND Institute for Civil Justice (ICJ) within RAND Justice, Infrastructure, and Environment.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.