Zero-day vulnerabilities and their exploits are useful in offensive operations as well as in defensive and academic settings.
RAND obtained rare access to a dataset of information about more than 200 zero-day software vulnerabilities and their exploits - many of which are still publicly unknown. We analyzed these data to provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities (longevity), the likelihood of another party discovering a vulnerability within a given time period (collision rate), and the time and costs involved in developing an exploit for a zero-day vulnerability.
The RAND study is the first publicly available research to examine vulnerabilities and their fully-functional exploits that are still currently unknown to the public. The research establishes initial baseline metrics that can augment conventional proxy examples and expert opinion, inform ongoing policy discussions, and complement current efforts to related to retention and disclosure of zero-day vulnerabilities and exploits.
This research can help inform software vendors, vulnerability researchers, and policymakers by illuminating the overlap between vulnerabilities found privately and publicly, highlighting the characteristics of these vulnerabilities, and providing a behind-the-scenes look at zero-day exploit development.
Lillian Ablon is an information scientist at the RAND Corporation and a professor at the Pardee RAND Graduate School. She conducts technical and policy research on topics spanning cyber security, emerging technologies, privacy and security in the digital age, computer network operations, digital exhaust, and the human element. Recent research topics include longevity and collision rates of zero-day software vulnerabilities and their exploits; cyber risks to the supply chain; coverages and risks of cyber insurance; consumer attitudes towards data breach notifications; the intersection of commercial technology companies and public policy; black markets for cybercrime tools and stolen data as well as the white, grey, and black markets for zero-day exploits; social engineering and open source intelligence; methods for zero- day vulnerability detection; tools and technologies for greater cyber situational awareness; future and emerging technologies and the 2020-2040 operating environment; and privacy concerns with digital identity. Prior to joining RAND, Ablon created and worked with some of the most cutting edge technologies in cryptography, network exploitation and vulnerability analysis, and mathematics. She won an "uber" black badge at DEFCON21 and holds a B.A. in mathematics from the University of California, Berkeley, and an M.S. in mathematics from Johns Hopkins University.