SoylentNews

"Albert" writes:

RAND got exclusive access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary [rand.org] which links to this PDF [rand.org]) includes quite a bit more about the industry, including some estimates of pricing and headcount.

Original Submission