Zero-day bugs have an average lifespan of one year
Security service provider Immunity has proposed that the average lifespan of zero-day bugs is 348 days. Zero-day bugs are security holes that are not disclosed by their discoverers and for which no patch or other kind of protection is provided. This situation leaves systems exposed to attackers, who could break into systems without being detected and, for example, manipulate or copy data. On the occasion of the SyScan security conference, Justine Aitel, CEO of Immunity, said that large sums are paid for information on zero-day holes. Meanwhile, first attempts have been made to establish public auction platforms for bids on such holes.
Immunity also buys information on vulnerabilities to protect their own paying clients, but does not disclose any details. This enables the service provider to determine how long it takes before somebody else also detects the hole and makes it public. According to Immunity, the shortest-lived bugs have been made public within 99 days, while the longest lifespan was 1080 days or nearly three years.
According to Aitel, most companies do not search their own infrastructures to discover security holes. Often, license terms for purchased software that prohibit such examination further complicate security assessments. Companies should not cherish the illusion that their infrastructure does not contain any vulnerabilities. "Always assume everything has holes. It's the truth: it does", Aitel said.
- Bid on exploits at new public auction platform , heise Security news
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
