Software vulnerabilityRAND study examines 200 real-world “Zero-Day” software vulnerabilities

Published 9 March 2017

Zero-day software vulnerabilities – security holes that developers haven’t fixed or aren’t aware of – can lurk undetected for years, leaving software users particularly susceptible to hackers. A new study from the RAND Corporation, based on rare access to a dataset of more than 200 such vulnerabilities, provides insights about what entities should do when they discover them.

Zero-day software vulnerabilities – security holes that developers haven’t fixed or aren’t aware of – can lurk undetected for years, leaving software users particularly susceptible to hackers. A new study from the RAND Corporation, based on rare access to a dataset of more than 200 such vulnerabilities, provides insights about what entities should do when they discover them.

Until now the big question — whether governments or anyone should publicly disclose or keep quiet about the vulnerabilities — has been difficult to answer because so little is known about how long zero-day vulnerabilities remain undetected or what percentage of them are eventually found by others.

RAND says that a new RAND study is the first publicly available research to examine vulnerabilities that are still currently unknown to the public. The research establishes initial baseline metrics that can augment other studies that have relied on manufactured data, findings only from publicly known vulnerabilities, or expert opinion. 

Based on the dataset, RAND researchers have determined that zero-day vulnerabilities have an average life expectancy – the time between initial private discovery and public disclosure – of 6.9 years. That long timeline plus low collision rates – the likelihood of two people finding the same vulnerability (approximately 5.7 percent per year) – means the level of protection afforded by disclosing a vulnerability may be modest and that keeping quiet about – or “stockpiling” – vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others’.

“Typical ‘white hat’ researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it,” said Lillian Ablon, lead author of the study and an information scientist with RAND, a nonprofit research organization. “Others, like system-security-penetration testing firms and ‘grey hat’ entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability – or its corresponding exploit – is a game of tradeoffs, particularly for governments.”

People who know about these weaknesses may create “exploits,” or code that takes advantage of that vulnerability to access other parts of a system, execute their own code, act as an administrator or perform some other action. One famous example is the Stuxnet worm, which relied on four Microsoft zero-day vulnerabilities to compromise Iran’s nuclear program.