It’s been known for some time that Western government cyber agencies stockpile zero-day vulnerabilities, hoping to find ways of exploiting them in
It’s been known for some time that Western government cyber agencies stockpile zero-day vulnerabilities, hoping to find ways of exploiting them in Internet-connected devices of targets. Meanwhile security researchers urge the same governments to quickly release discoveries of these vulnerabilities so they can quickly be patched before criminals and not-so-friendly governments find and exploit them.
Now a new study suggests keeping quiet may be the better way to protect society because the odds of zero-days being discovered are low.
The study, by the U. S.-based Rand Corporation of a dataset of the history 200 zero-day vulnerabilities and their exploits found between 2002 and 2006, reveals they have average shelf life —the time between initial private discovery and public disclosure—of 6.9 years. In addition, the likelihood of two people finding the same vulnerability — which researchers call the collision rate — is approximately 5.7 percent per year.
Those two facts suggests the level of protection afforded by disclosing a vulnerability may be modest, argues the report, and that keeping quiet about—or “stockpiling”—vulnerabilities may be a reasonable option for those looking to both defend their own systems and potentially exploit vulnerabilities in others’.
The report has added interest with the release last week by WikiLeaks of an alleged hacking archive of tools used by the U.
