基本信息
Zero Days, Thousands of Nights
The Life and Times of Zero-Day Vulnerabilities and Their Exploits
by Lillian Ablon, Timothy Bogart
Related Topics: Computer Viruses, Cyber Warfare, Cybercrime, Information Security, The Internet, Science, Technology, and Innovation Policy
概要
http://www.rand.org/pubs/research_reports/RR1751.html?from=timeline#download
keynote
买家决定漏洞价格
zero day 市场可以划分为 白色,灰色和黑色。
灰色市场主要顾客的,gov,军队和情报机构,黑色市场顾客种类难以界定。
真正决定漏洞价格的人是买家。
In the end, for those who sell their exploits, the entity that purchases the vulnerability can often be the ultimate decider of what to purchase and for how much,regardless of how long it took to find (or exploit) the vulnerability or what type of vulnerabilityit is.
关于价格
https://zerodium.com/program.html
One vulnerability research firm we spoke tonoted that their prices for exploits are three to five times those quoted in Zerodium’spublished price list (Zerodium, 2016).
While “unicorn”exploits exist—such as iPhone full-chain exploits—they are not the norm, and rarelyhit the $1 million mark. Instead, most exploits in the gray or government market aresold between $50,000–$100,000, and can go up to $150,000–$300,000, depending on the exploit. This is compared with exploits in the black market that go for less: AFlash exploit can fetch $30,000–$50,000.
漏洞生命周期
漏洞平均寿命在6.9年左右。
Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
预计每年平均损失 5.7%.
For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.
