How long does a zero-day vulnerability exist before it's eventually exploited?
According to new research from RAND Corporation, an average of 6.9 years.
What's even more terrifying is that there's only a 5.7% chance that another hacker will find the same flaw within the same year. Meaning they could potentially have an average of almost 7 years to stockpile zero-day exploits that less than 6% of other people will even find.
25% of zero-days will live past 9.5 years. Scared yet? You should be.
If you're a white-hat hacker, it would be in your best interest to disclose a vulnerability and hopefully collect a nice bug bounty. However, if your intentions are bent, or if you're a security pen-tester, you may choose to withhold this information.
If the malicious code you've found involves a nation-state, your options for disclosure have much higher consequences. Lillian Ablon, lead author of the study, says in a press release:
“Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them. On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option.”
Researchers from RAND estimate that 40% of zero-day exploits are still unknown. Last year, Symantec estimated that in 2015 a new zero-day was discovered every single week. Meaning for every vulnerability discovered, there are a lot more lurking in the shadows.
The recent WikiLeaks dump of CIA documents has potentially numerous zero-day exploits stockpiled from Apple, Android, and Samsung code flaws.
"By hiding these security flaws from manufacturers like Apple and Google, the CIA ensures that it can hack everyone... at the expense of leaving everyone hackable," WikiLeaks warns.
There's a lot at stake if these vulnerabilities remain uncovered, or worse, uncovered for all but a few. So how can we ensure these flaws don't end up in the wrong hands and are properly disclosed?