RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.
It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.
The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.
(Score: 2, Interesting) by Soylentbob on Tuesday March 21 2017, @06:56AM
From tfa:
No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.
Yes, please... As a long term Linux-user, I'm convinced that at least in the prestigious projects (Linux, postgres, mariadb [former mysql] etc. receive patches for known zero-days pretty fast. Regarding overall code quality, open source [wikipedia.org] seems to have an edge (although I doubt this for some of the newer hipster-projects), but would be interesting to know if availability of source-code makes it significantly easier for foreign governments to find zero-days.
The best strategy to ensure superiority and safety would IMO be to employ developers contributing to contribute to critical projects in order to gain competence, and maybe to invest in freely available static code-analysis tools. Maybe that would be a good option to sink some of the defence-budget. Since Trump was demanding Europe to increase their defence-spending, that might be a good first step :-)