RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.
It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.
The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:12PM (1 child)
"hello fellow citizen! in the name of national security(*) your computing results maybe have to stay wrong and/or faulty! have a nice day!"
(*)?
(Score: 1) by khallow on Tuesday March 21 2017, @02:20PM
*zappity zap zap zap zap*