Zero Days, Thousands of Nights: The Life, Times, and Exploits of Zero-Day Vulnerabilities
Razer
g2s at riseup.net
Sun Mar 12 21:00:54 PDT 2017
From the Intercept writeup:
> Rand’s report is based on unprecedented access to a database of zero
> days from a company that sells them to governments and other customers
> on the “gray market.” The collection contains about 200 entries —
> about the same number of zero days some experts believe the government
> to have. Rand found that the exploits had an average lifespan of 6.9
> years before the vulnerability each targeted was disclosed to the
> software maker to be fixed, or before the vendor made upgrades to the
> code that unwittingly eliminated the security hole.
https://theintercept.com/2017/03/10/government-zero-days-7-years/
> Zero Days, Thousands of Nights
> The Life and Times of Zero-Day Vulnerabilities and Their Exploits
>
> by Lillian Ablon, Timothy Bogart
>
> Zero-day vulnerabilities — software vulnerabilities for which no patch
> or fix has been publicly released — and their exploits are useful in
> cyber operations — whether by criminals, militaries, or governments —
> as well as in defensive and academic settings.
>
> This report provides findings from real-world zero-day vulnerability
> and exploit data that could augment conventional proxy examples and
> expert opinion, complement current efforts to create a framework for
> deciding whether to disclose or retain a cache of zero-day
> vulnerabilities and exploits, inform ongoing policy debates regarding
> stockpiling and vulnerability disclosure, and add extra context for
> those examining the implications and resulting liability of attacks
> and data breaches for U.S. consumers, companies, insurers, and for the
> civil justice system broadly.
>
> The authors provide insights about the zero-day vulnerability research
> and exploit development industry; give information on what proportion
> of zero-day vulnerabilities are alive (undisclosed), dead (known), or
> somewhere in between; and establish some baseline metrics regarding
> the average lifespan of zero-day vulnerabilities, the likelihood of
> another party discovering a vulnerability within a given time period,
> and the time and costs involved in developing an exploit for a
> zero-day vulnerability.
> Key Findings
>
Rand (PDF report link on right sidebar):
http://www.rand.org/pubs/research_reports/RR1751.html
More information about the cypherpunks
mailing list