• BlackHat Europe, March 25-26, 2008, Amsterdam


  • Stefan Frei, Bernhard Tellenbach


We introduce the 0-day patch rate as metric to measure the evolution of the security ecosystem and the performance of software vendors to protect their customers. The 0-day patch rate is the number of patches a vendor is able to release at the day of the public disclosure of the vulnerability. We directly compare the performance of Microsoft and Apple over the last 6 years. Further, this metric allows us to measure the effectiveness of the coordinated vulnerability disclosure process. The long-term analysis of patches available at 0, 30, 90 and 180 days after the disclosure gives insight into the vendors processes and the evolution of the security ecosystem. We discover trends and discuss their implications.