In association with heise online

10 July 2007, 15:10

Zero-day bugs have an average lifespan of one year

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider Immunity has proposed that the average lifespan of zero-day bugs is 348 days. Zero-day bugs are security holes that are not disclosed by their discoverers and for which no patch or other kind of protection is provided. This situation leaves systems exposed to attackers, who could break into systems without being detected and, for example, manipulate or copy data. On the occasion of the SyScan security conference, Justine Aitel, CEO of Immunity, said that large sums are paid for information on zero-day holes. Meanwhile, first attempts have been made to establish public auction platforms for bids on such holes.

Immunity also buys information on vulnerabilities to protect their own paying clients, but does not disclose any details. This enables the service provider to determine how long it takes before somebody else also detects the hole and makes it public. According to Immunity, the shortest-lived bugs have been made public within 99 days, while the longest lifespan was 1080 days or nearly three years.

According to Aitel, most companies do not search their own infrastructures to discover security holes. Often, license terms for purchased software that prohibit such examination further complicate security assessments. Companies should not cherish the illusion that their infrastructure does not contain any vulnerabilities. "Always assume everything has holes. It's the truth: it does", Aitel said.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit