Empirical analysis of publicly unknown security vulnerabilities


  • Stefan Frei


In recent years, there has been increased interest in the way in which security vulnerability information is managed and traded. Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. These groups have access to critical information that would allow them to compromise all vulnerable systems without the public ever having knowledge of the threats. These privately known vulnerabilities are regarded as the “known unknowns” of cyber security.

NSS Labs has analyzed ten years of data from two major vulnerability purchase programs, and the results reveal that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. Further, it has been found that these vulnerabilities remain private for an average of 151 days. These numbers are considered a minimum estimate of the “known unknowns”, as it is unlikely that cyber criminals, brokers, or government agencies will ever share data about their operations.

Specialized companies are offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined attacker (for example, 25 zero-days per year for USD $2.5 million); this has broken the monopoly that nation-states historically have held regarding ownership of the latest cyber weapon technology. Jointly, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year.