Report: Government-held security vulnerabilities last for years

Report: Government-held security vulnerabilities last for years
© Getty Images

New research shows that security vulnerabilities governments and malicious hackers use to attack systems last, on average, nearly seven years without the public finding out about them. 

The United States government, like many other governments, uses hacking for intelligence and law enforcement purposes. That has lead to debate over whether it is more beneficial to U.S. citizens to allow the government to stockpile vulnerabilities or alert manufacturers that their products are vulnerable, knowing that by keeping vulnerabilities under wraps, it is possible that adversarial governments and criminals discover and exploit them against the U.S. public. 

Though governments conduct their own research to discover new, so-called “zero-day” vulnerabilities, private brokers also sell vulnerabilities on a quasi-legal market. The U.S. has historically been an active consumer.   


The report, compiled by researchers at the RAND institute, traced vulnerabilities in the possession of one of these brokers. 

The RAND study found that vulnerabilities are “likely” to survive between 5.39 and 8.84 years without being publicly discovered, with an average of 6.9 years and a quarter only lasting 18 months or less. 

RAND found no significant characteristics that determined which vulnerabilities were discovered sooner or later, but the report notes it did not check either open source versus closed source products or Linux versus other operating systems. 

RAND calculates that year over year, only around 1 in 20 vulnerabilities in a stockpile will be discovered by another researcher. Over the course of the study — 2002 to 2016 — only around 40 percent of the stockpile was. 

“If zero-day vulnerabilities are very hard to find, then the small probability that others will find the same vulnerability may also support the argument to retain a stockpile,” the report summarizes.

“On the other hand, our analysis shows that that the collision rates for zero-day vulnerabilities are nonzero. Some may argue that, if there is any probability that someone else (especially an adversary) will find the same zero-day vulnerability, then the potentially severe consequences of keeping the zero-day private and leaving a population vulnerable warrant immediate vulnerability disclosure and patch.”