A new report indicates that zero-day vulnerabilities tend to be available through the black market for an average of 151 days before being discovered by vendors or researchers.
The report also noted that on any given day over the last three years, as many as 58 zero-day vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe are available on the black market.
The “boutique exploit providers” typically sell the bugs to governments, companies, or rogue hackers for an average of $40,000 to $160,000, with some fetching prices into the millions of dollars, according to the report.
While these numbers may seem astonishing, they are conservative estimates based on the researchers study of the vulnerability market.
“This is really a minimum estimate,” said research director Stefan Frei. “Using data from known exploit programs or boutique vendors like VUPEN and putting them all together and connecting the dots — it’s astonishing what you get.”
Other key findings include:
- Jointly, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year, resulting in 85 privately known exploits being available on any given day of the year.
- The true number of “known unknowns” is considerably higher than has been estimated, since many groups in possession of such information have no incentive to coordinate with the vendor of the affected software.
- Nation states no longer have a monopoly on the latest in cyber weapons technology.
Read More Here…