Google’s star security team, Project Zero, today unveiled their 0day vulnerability-related tracking form (Spreadsheet link: 0day “In the Wild”). Their statement in the blog stated that the team’s goal is to “make zero-day hard” and increase the cost of discovering and exploiting security vulnerabilities. The 0day attack sample provides A very valuable practical reference is also helpful for security research. They share the 0day data form collected from public sources and hope to help the safe community.
The data in this table is collected by the team from public data sources and the relevant links are attached to the 0day entry.
However, the team statement emphasized that this is just collecting information, and the team has not verified all the data, which is not necessarily completely reliable. However, from the statistics, you can still get some interesting data:
- On average, a new “in the wild” exploit is discovered every 17 days (but in practice these often clump together in exploit chains that are all discovered on the same date);
- Across all vendors, it takes 15 days on average to patch a vulnerability that is being used in active attacks;
- A detailed technical analysis on the root-cause of the vulnerability is published for 86% of listed CVEs;
- Memory corruption issues are the root-cause of 68% of listed CVEs.
Finally, the team stated that it will continue to maintain this form and hopes that the community can provide relevant help and advice.