Undetected security holes have an average life expectancy of 6.9 years and, once found, can have a fully functioning exploit developed within a median time of 22 days, leaving software users throughout the private and public sectors susceptible to hackers.

These are just some of the findings in "Zero Days, Thousands of Nights," a new study of real-world unpatched, undisclosed vulnerabilities and their exploits by public policy research organization the Rand Corporation.

The study uses rare access to a rich data set of more than 200 vulnerabilities from 2002 to 2016 (40 percent still unknown to the public) — the type of vulnerabilities governments might be tempted to retain knowledge of to avoid attacks, or to use as back doors for gathering information and compromising adversary programs. 

"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense by compelling the affected vendor to implement a patch and protect against the adversary using the vulnerability against them," said Lillian Ablon, lead author of the study and an information scientist with Rand, in a news release. 

"On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve. In that case, stockpiling would be the best option."

Rand sees this research as useful for policymakers making decisions, such as whether to inform of vulnerabilities or stockpile for defensive purposes (e.g., penetration testing) or offensive operations. After all, the group found that for a given stockpile of zero-day vulnerabilities, the average lifespan is 1.5 to 9.5 years and after a year approximately 5.7 percent have been discovered by others. And tagging a vulnerability as "alive" or "dead" is too simplistic, as some may be "immortal" — baked into no longer maintained code — or are "zombies," because even after patches they persist in older versions of a product. 

In general, Rand found that those on offense have the upper hand when it comes to vulnerabilities, because they are typically concerned with its use in the short-term and can procure an exploit for something specific at some cost. Defenders, meanwhile must be concerned with identifying many vulnerabilities and systems breached so may see more costs for test infrastructure, etc. The study's baseline metrics can augment other studies of the tradeoffs of addressing zero-day vulnerabilities.

Rand suggests future analysis to examine the longevity of vulnerabilities for Linux compared with other platforms; to con rm the similarity of longevity of vulnerabilities for open and closed source code type; and to investigate any significance of grouping client-side and remote exploits together compared against a grouping of local, mixed and other exploits.