Slash Boxes

SoylentNews is people

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @06:21AM

    by Anonymous Coward on Tuesday March 21 2017, @06:21AM (#481983)

    The PDF explains it well. There are a bunch of fancy statistics, particularly relating to lifetime. The weakest assumption is that the set of vulnerabilities found in the private set of about 200 is of a similar nature as the ones that are public. Still, it's not a bad assumption, especially given the known properties of that set of vulnerabilities. From there we may compute the chance that a pair of adversaries will discover the same bugs or different bugs.

    The NSA may well be releasing a steady stream of foreign-discovered 0-days to 'our team'. There is no way they'd take credit for it. Probably they'd use anonymous bug reports to the vendor.