Slash Boxes

SoylentNews is people

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:45PM

    by Anonymous Coward on Tuesday March 21 2017, @01:45PM (#482111)

    Obvious questions:

    Where did Rand get the data and why would they expect the source to be truthful?

    The analysis seems to be about an 'us' versus 'them' pair. this results in a small overlap which leads to holding our zero day's.
    It seems like in the real world, there are many 'them's with varying degrees of visibility.
    How could the information source know that the 'them' they provided data for is representative of the whole situation?

    The elephant in the room is that there are so many bugs and so little time.
    Aside from finding and outing zero day's, what can be done to address this situation?
    This report seems to say that the best action is to continue the current situation.
    Unfortunately, that makes everybody's computer a war zone.
    There must be a better path.