RAND Study Examines 200 Real-World 'Zero-Day' Software Vulnerabilities
Mar 9, 2017
Zero-day vulnerabilities — software vulnerabilities for which no patch or fix has been publicly released — and their exploits are useful in cyber operations, as well as in defensive and academic settings. This report provides findings from real-world zero-day vulnerability and exploit data that can inform ongoing policy debates regarding stockpiling (i.e., keeping zero-day vulnerabilities private) versus disclosing them to the public.
The Life and Times of Zero-Day Vulnerabilities and Their Exploits
|PDF file||1.7 MB||Best for desktop computers.|
|ePub file||3 MB||Best for mobile devices.
On desktop computers and some mobile devices, you may need to download an eBook reader to view ePub files. Calibre is an example of a free and open source e-book library management application.
|mobi file||6.9 MB||Best for Kindle 1-3.
On desktop computers and some mobile devices, you may need to download an eBook reader to view mobi files. Amazon Kindle is the most popular reader for mobi files.
Arabic language version
|PDF file||1.2 MB|
|Add to Cart||Paperback132 pages||$31.00||$24.80 20% Web Discount|
Zero-day vulnerabilities — software vulnerabilities for which no patch or fix has been publicly released — and their exploits are useful in cyber operations — whether by criminals, militaries, or governments — as well as in defensive and academic settings.
This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly.
The authors provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (undisclosed), dead (known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities, the likelihood of another party discovering a vulnerability within a given time period, and the time and costs involved in developing an exploit for a zero-day vulnerability.
More Discussion of Zero-Day Vulnerabilities
Analysis of the Data
Conclusions and Implications
The Exploit Development Cycle
The Vulnerability Researchers: Who Looks for Vulnerabilities?
How Mitigations Have Affected Exploitability: Heap Versus Stack Exploitation Case Study
Purchasing a Zero-Day Exploit: Some Cost and Pricing Considerations
Additional Figures and Tables
More Information About the Data
This project is a RAND Venture. Funding for this venture was provided by philanthropic contributions from RAND supporters and income from operations. The research was conducted by the RAND Institute for Civil Justice (ICJ) within RAND Justice, Infrastructure, and Environment.
This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.