Research shows that zero day vulnerabilities have an unusually long life span of 6.9 years

Rand corporation, a nonprofit global policy think tank has released a report that has studied zero day vulnerabilities.


Rand corporation, a nonprofit global policy think tank has released a report that has studied zero day vulnerabilities. A zero day vulnerability is a security hole in a system that can be exploited for a breach. The researchers had unprecedented access to over 200 zero day exploits sold by vendors, and is the first publicly available research to examine zero day vulnerabilities unknown to the public.

Zero day vulnerabilities are exploited by criminals and government agents for various kinds of cyber operations.

Lillian Ablon, lead author of the study said "Typical ‘white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it. Others, like system-security-penetration testing firms and ‘grey hat' entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability — or its corresponding exploit — is a game of tradeoffs, particularly for governments."

A key finding of the report is that classifying zero day vulnerabilities as "alive" or "dead" is too simplistic. If a vulnerability is unknown to the public, the zero day is said to be alive. If the vulnerability has been disclosed publicly, with a patch by the software vendor and a security advisory, it is dead. If a developer no longer maintains the code or issues updates, a zero day vulnerability can be classified as "immortal" as the vulnerability is going to exist for perpetuity. "Zombies" are zero days in older systems that have not been upgraded to the latest software versions.

The research shows that zero day vulnerabilities have a rather long average life time of 6.9 years. Twenty five percent of zero days do not survive past 1.51 years, and only twenty five percent of zero days survive longer than 9.5 years. How long a zero day remains alive has not been linked to any defining characteristics of the vulnerability. Whether the zero day is a relatively minor one, or a critical zero day, has no influence on the lifespan of the vulnerability.

The study is called Zero Days, Thousands of Nights, and is available online for free.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.