[no subject]

> Zero Days, Thousands of Nights
> The Life and Times of Zero-Day Vulnerabilities and Their Exploits
>
> by Lillian Ablon, Timothy Bogart
>
> Zero-day vulnerabilities â?? software vulnerabilities for which no patch
> or fix has been publicly released â?? and their exploits are useful in
> cyber operations â?? whether by criminals, militaries, or governments â??
> as well as in defensive and academic settings.
>
> This report provides findings from real-world zero-day vulnerability
> and exploit data that could augment conventional proxy examples and
> expert opinion, complement current efforts to create a framework for
> deciding whether to disclose or retain a cache of zero-day
> vulnerabilities and exploits, inform ongoing policy debates regarding
> stockpiling and vulnerability disclosure, and add extra context for
> those examining the implications and resulting liability of attacks
> and data breaches for U.S. consumers, companies, insurers, and for the
> civil justice system broadly.
>
> The authors provide insights about the zero-day vulnerability research
> and exploit development industry; give information on what proportion
> of zero-day vulnerabilities are alive (undisclosed), dead (known), or
> somewhere in between; and establish some baseline metrics regarding
> the average lifespan of zero-day vulnerabilities, the likelihood of
> another party discovering a vulnerability within a given time period,
> and the time and costs involved in developing an exploit for a
> zero-day vulnerability.
> Key Findings
>
Rand (PDF report link on right sidebar):
http://www.rand.org/pubs/research_reports/RR1751.html