!"!

#$%& ()*+,
1he known Unknowns
LMIkICAL ANALSIS CI U8LICL UNkNCWN SLCUkI1 VULNLkA8ILI1ILS

Author - Stefan Ire|, hD
Cvervlew
ln recenL years, Lhere has been lncreased lnLeresL ln Lhe way ln whlch securlLy vulnerablllLy lnformaLlon ls
managed and Lraded. vulnerablllLles LhaL are known only Lo prlvlleged closed groups, such as cyber crlmlnals,
brokers, and governmenLs, pose a real and presenL rlsk Lo all who use Lhe affecLed sofLware. 1hese groups have
access Lo crlLlcal lnformaLlon LhaL would allow Lhem Lo compromlse all vulnerable sysLems wlLhouL Lhe publlc ever
havlng knowledge of Lhe LhreaLs. 1hese prlvaLely known vulnerablllLles are regarded as Lhe known unknowns" of
cyber securlLy.
nSS Labs has analyzed Len years of daLa from Lwo ma[or vulnerablllLy purchase programs, and Lhe resulLs reveal
LhaL on any glven day over Lhe pasL Lhree years, prlvlleged groups have had access Lo aL leasL 38 vulnerablllLles
LargeLlng MlcrosofL, Apple, Cracle, or Adobe. lurLher, lL has been found LhaL Lhese vulnerablllLles remaln prlvaLe
for an average of 131 days. 1hese numbers are consldered a mlnlmum esLlmaLe of Lhe known unknowns", as lL ls
unllkely LhaL cyber crlmlnals, brokers, or governmenL agencles wlll ever share daLa abouL Lhelr operaLlons.
Speclallzed companles are offerlng zero-day vulnerablllLles for subscrlpLlon fees LhaL are well wlLhln Lhe budgeL of
a deLermlned aLLacker (for example, 23 zero-days per year for uSu $2.3 mllllon), Lhls has broken Lhe monopoly
LhaL naLlon-sLaLes hlsLorlcally have held regardlng ownershlp of Lhe laLesL cyber weapon Lechnology. !olnLly, half a
dozen bouLlque explolL provlders have Lhe capaclLy Lo offer more Lhan 100 explolLs per year.

nSS Labs AnalysL 8rlef - 1he known unknowns

2
nSS Labs llndlngs
1he markeL for vulnerablllLy and explolL lnformaLlon has grown slgnlflcanLly ln recenL years
Cn any glven day beLween 2010 and 2012, prlvlleged groups had excluslve access Lo aL leasL 38 vulnerablllLles
LargeLlng MlcrosofL, Apple, Cracle, or Adobe, such access would have allowed Lhese groups Lo compromlse all
vulnerable sysLems wlLhouL publlc knowledge.
uurlng Lhe perlod under lnvesLlgaLlon, vulnerablllLles remalned prlvaLe for an average of 131 days before a
vendor paLch was made avallable.
!olnLly, half a dozen bouLlque explolL provlders have Lhe capaclLy Lo offer more Lhan 100 explolLs per year,
resulLlng ln 83 prlvaLely known explolLs belng avallable on any glven day of Lhe year.
1he Lrue number of known unknowns" ls conslderably hlgher Lhan has been esLlmaLed, slnce many groups ln
possesslon of such lnformaLlon have no lncenLlve Lo coordlnaLe wlLh Lhe vendor of Lhe affecLed sofLware.
naLlon-sLaLes no longer have a monopoly on Lhe laLesL ln cyber weapons Lechnology.
nSS Labs 8ecommendaLlons
SecurlLy professlonals should make Lhemselves aware of Lhe clear and presenL rlsk presenLed by known
unknowns."
LnLerprlses should assume Lhe neLwork ls already compromlsed, and assume LhaL lL wlll conLlnue Lo be
compromlsed.
As prevenLlon ls llmlLed, enLerprlses should deploy Lools and processes Lo qulckly deLecL and remedlaLe
successful breaches.
LnLerprlses should respond Lo a breach wlLh a well-deflned process raLher Lhan conslderlng lL Lo be an
excepLlon, have ln place an lncldenL response plan LhaL ls sub[ecL Lo rouLlne revlew.
SofLware vendors should Lake advanLage of crowd sourclng vla Lhe esLabllshmenL of a bug bounLy program
LhaL would allow for early and more compleLe access Lo vulnerablllLles affecLlng Lhelr producLs.

nSS Labs AnalysL 8rlef - 1he known unknowns

3
1ab|e of Contents
Cverv|ew ................................................................................................................................ 1
NSS Labs I|nd|ngs .................................................................................................................... 2
NSS Labs kecommendat|ons ................................................................................................... 2
Ana|ys|s .................................................................................................................................. S
1he SecurlLy LcosysLem & vulnerablllLy Llfe Cycle ....................................................................................... 3
voloetoblllty llfe cycle .............................................................................................................................. 5
voloetoblllty ulsclosote uebote ................................................................................................................ 6
vulnerablllLy urchase rograms (vs) ...................................................................................................... 8
1he known unknowns ................................................................................................................................ 10
Ooootlflcotloo AoJ xposote 1lme ......................................................................................................... 11
Lxpandlng 1he Mlnlmum LsLlmaLe ............................................................................................................ 12
lotetool ulscovety 8y 5oftwote veoJot .................................................................................................. 1J
8oq 8oooty ltoqtoms 8y 5oftwote veoJot ............................................................................................ 1J
8ootlpoe xplolt ltovlJets ...................................................................................................................... 1J
Covetomeots & uefeose coottoctots ..................................................................................................... 14
commetclol 5ecotlty coosoltloq ............................................................................................................. 14
xplolt 8tokets ........................................................................................................................................ 14
ConnecLlng 1he uoLs .................................................................................................................................. 13
Append|x .............................................................................................................................. 16
voloetoblllty llfe cycle veots ................................................................................................................ 16
1be Mlctosoft Apptoocb 1o cootJlooteJ voloetoblllty ulsclosote ......................................................... 17
xplolt Offetloqs ..................................................................................................................................... 17
kead|ng L|st .......................................................................................................................... 18
Contact Informat|on .............................................................................................................. 19


nSS Labs AnalysL 8rlef - 1he known unknowns

4
1ab|e of I|gures
llgure 1 - Llfe Cycle Cf A vulnerablllLy ......................................................................................................................... 6
llgure 2 - vC And Zul vulnerablllLy ulsclosures And Average re-ulsclosure 1lme Cf vulnerablllLles ln uays ......... 8
llgure 3 - 1oLal urchases, AffecLed SofLware vendors, And Average 1lme lrom urchase 1o ubllcaLlon ............... 9
llgure 4 - SofLware vendors lor Whlch vC And Zul urchased vulnerablllLles ln 1he LasL 10 ?ears (WlLh Average
re-ulsclosure 1lme And Share Cf 1he urchases Cn All vulnerablllLles Cf Clven vendor) ...................................... 10
llgure 3 - 1he known unknowns ln lnformaLlon SecurlLy ......................................................................................... 11
llgure 6 - Summary Cf 1he known unknowns lor 2010 - 2012 ............................................................................... 11
llgure 7 - number Cf vulnerablllLles known Cnly 1o vC And Zul Cn Any Clven uay 8eLween 2002 And 2013 ..... 12

nSS Labs AnalysL 8rlef - 1he known unknowns

3
Analysls
1he rlse ln lmporLance of lnformaLlon sysLems for Lhe economy and for socleLy as a whole has been accompanled
by lncreased lnLeresL ln Lhe way ln whlch securlLy vulnerablllLy lnformaLlon ls managed and Lraded. 1echnlcal
advancemenLs wlLhln sofLware deslgn and developmenL have noL prevenLed Lhe release of lnsecure sofLware and
consequenLly Lhe appearance of vulnerablllLles. Lconomlc and oLher non-Lechnlcal lncenLlves lncreaslngly are
percelved as Lhe prlmary reasons for Loday's helghLened rlsk exposure. Whlle ouLslde Lhe scope of Lhls analysL
brlef, lL should be noLed LhaL Lhere ls llmlLed lncenLlve for sofLware vendors Lo dedlcaLe Lhe Llme and resources
requlred Lo adequaLely secure code before lL shlps. 1hus, nSS expecLs LhaL enLerprlse sofLware wlll conLlnue Lo
shlp wlLh slgnlflcanL laLenL vulnerablllLles, whlch ln Lurn wlll moLlvaLe Lhlrd parLles Lo hunL for Lhem.
SocleLy ls sLlll ln Lhe early phase of adapLlng Lo Lhe opporLunlLles and LhreaLs of lnformaLlon Lechnology. uurlng Lhe
embryonlc phase of lnnovaLlon, before Lhe emergence of a domlnanL deslgn, Lhe lndusLry ls characLerlzed by hlgh
levels of experlmenLaLlon among producers and cusLomers. 1he markeL for vulnerablllLy and explolL lnformaLlon ls
a good example of Lhls evoluLlonary process. Lvery parLlclpanL, from producers Lo cusLomers, ls learnlng. Lach Llme
a vulnerablllLy ls dlscovered, dlverse groups, ofLen wlLh confllcLlng moLlves and lncenLlves, engage Lo bulld a
securlLy ecosysLem. 1o beLLer undersLand Lhls ecosysLem, lL ls necessary Lo examlne Lhe voloetoblllty llfe cycle,
whlch descrlbes Lhe llfe of a vulnerablllLy from dlscovery Lo evenLual publlcaLlon and release of a paLch.
1he Secur|ty Lcosystem & Vu|nerab|||ty L|fe Cyc|e
Vu|nerab|||ty L|fe Cyc|e
1he llfe cycle of a vulnerablllLy can be dlvlded lnLo phases beLween dlsLlncL evenLs. Lach phase reflecLs a speclflc
sLaLe of Lhe vulnerablllLy and Lhe assoclaLed rlsk exposure for Lhe users of Lhe affecLed sofLware. 1o capLure Lhese
phases, slx evenLs can be deflned ln Lhe vulnerablllLy llfe cycle: cteotloo, Jlscovety, explolt ovolloblllty, Jlsclosote,
potcb ovolloblllty, and potcb lostollotloo, as shown ln llgure 1.
WlLh some resLrlcLlons, Lhe exacL sequence of Lhese evenLs varles among lndlvldual vulnerablllLles and Lhe parLles
lnvolved.
re-d|sc|osure hase
1he phase prlor Lo Lhe publlc dlsclosure of a vulnerablllLy deflnes Lhe pte-Jlsclosote rlsk, durlng whlch Llme mosL of
Lhe sofLware users are noL aware of Lhe vulnerablllLy and Lherefore cannoL assess Lhe rlsk or Lake mlLlgaLlng acLlon.
WlLhln a prlvlleged group, however, Lhe vulnerablllLy ls known Lo exlsL, Lherefore, Lhe vulnerablllLy ls regarded as a
known unknown."
ost-d|sc|osure hase
AfLer publlc dlsclosure of Lhe vulnerablllLy, Lhe post-Jlsclosote phase sLarLs. uurlng Lhls perlod, Lhe sofLware users
are provlded wlLh lnformaLlon LhaL wlll allow Lhem Lo assess Lhe rlsk or Lo Lake mlLlgaLlng acLlon unLll a paLch ls
released and lnsLalled, Lhereby remedlaLlng Lhe rooL cause of Lhe vulnerablllLy.
1he lndlvldual evenLs deflnlng Lhe vulnerablllLy llfe cycle are furLher documenLed ln Lhe Appendlx.

nSS Labs AnalysL 8rlef - 1he known unknowns

6

I|gure 1 - L|fe Cyc|e Cf A Vu|nerab|||ty
1he exacL sequence of Lhese evenLs ls dependenL on Lhe manner ln whlch Lhe vulnerablllLy lnformaLlon ls managed
by Lhe dlscoverer, and as such, lL ls a dlrecL funcLlon of Lhe lncenLlves and eLhlcs of Lhe dlscoverer.
Vu|nerab|||ty D|sc|osure Debate
Cver Lhe pasL few years, sofLware vendors and securlLy researchers have vlgorously debaLed Lhe soclal deslrablllLy
of dlscloslng vulnerablllLy lnformaLlon. Whlle maklng Lhe lnformaLlon publlc wlll allow all affecLed parLles Lo assess
Lhe rlsk and Lake remedlaLlng acLlon, Lhe lnformaLlon wlll also become avallable Lo aLLackers for mlsuse. 1he bellef
LhaL elecLlng Lo keep vulnerablllLy lnformaLlon prlvaLe ls keeplng lL from aLLackers ls valld only under Lhe
assumpLlon LhaL poLenLlal aLLackers have noL yeL dlscovered or oLherwlse obLalned access Lo Lhls lnformaLlon.
1hls dlsclosure debaLe," whlch ls Lhe debaLe over wheLher or noL Lo dlvulge securlLy lnformaLlon, ls conLroverslal,
buL lL ls noL new, lL has been an lssue for locksmlLhs slnce Lhe 19Lh cenLury.
1,2

As socleLy's rellance on lnformaLlon Lechnology has lncreased, lnformaLlon abouL securlLy vulnerablllLles has
become a valuable asseL, and lL ls noL uncommon for eLhlcal securlLy researchers Lo requlre compensaLlon for Llme
spenL uncoverlng vulnerablllLles. CoordlnaLed dlsclosure, whlch descrlbes Lhe scenarlo where researchers prlvaLely
reporL flndlngs Lo an affecLed vendor ln order for Lhe vendor Lo produce a securlLy paLch, falls Lo saLlsfy securlLy
researchers who expecL flnanclal compensaLlon. Powever, reporLlng vulnerablllLles Lo a sofLware vendor wlLh Lhe
expecLaLlon of compensaLlon mlghL be vlewed as exLorLlon by Lhe vendor. Cn Lhe oLher hand, cyber crlmlnals or
governmenL agencles LhaL are noL bound by legal or eLhlcal conslderaLlons are wllllng Lo lnvesL conslderable
amounLs ln sulLable vulnerablllLy lnformaLlon. 1hese confllcLlng goals, approaches, and mlndseLs hlghllghL Lhe
lmmaLure sLaLe of Lhe markeL.
Whlle a markeL for vulnerablllLles has developed, vulnerablllLy commerclallzaLlon remalns a conLenLlous lssue LhaL
ls llnked Lo Lhe concepL of vulnerablllLy dlsclosure. 1oday, vulnerablllLy lnformaLlon ls Lraded on Lhe underground
black markeL," ls avallable Lhrough commerclal servlce offerlngs, and ls avallable Lhrough brokers where a number
of sofLware vendors have begun offerlng bounLles for vulnerablllLles LhaL are reporLed dlrecLly Lo Lhem.

1
A. Pobbs, locks ooJ 5ofes. 1be coosttoctloo of locks," C. 1omllnson, Ld. vlrLue & Co., London, 1833,1868
2
8. Schneler, locks ooJ loll ulsclosote, lLLL SecurlLy and rlvacy, vol. 01, no. 2, p. 88, 2003
nSS Labs AnalysL 8rlef - 1he known unknowns

7

Cnce a vulnerablllLy ls dlscovered, Lhe followlng opLlons are avallable:
-. "./0123 1he flnder does noLhlng under Lhe assumpLlon LhaL Lhls ls Lhe besL way Lo serve
securlLy, however, Lhls assumpLlon ls lncorrecL because Lhere ls no guaranLee LhaL
oLher parLles have noL already dlscovered Lhe same vulnerablllLy. 1he llkellhood of
lndependenL dlscovery of Lhe same vulnerablllLy by Lhlrd parLles lncreases wlLh Llme.
4..56127/86 -19:;.9<58 1he flnder prlvaLely dlscloses newly dlscovered vulnerablllLles elLher Lo Lhe vendor of
Lhe affecLed producL, or Lo a naLlonal CL81 rogram or oLher vulnerablllLy program
coordlnaLor. 1he flnder glves Lhe vendor opporLunlLy Lo analyze Lhe vulnerablllLy and
provlde an updaLe before dlscloslng deLalled lnformaLlon Lo Lhe publlc. upon release
of an updaLe, Lhe vendor recognlzes Lhe flnder ln bulleLlns or advlsorles for flndlng
and prlvaLely reporLlng Lhe lssue.
,<;; -19:;.9<58 1he flnder provldes lnsLanL, full dlsclosure of vulnerablllLy lnformaLlon Lo all affecLed
parLles, lncludlng poLenLlal aLLackers. Whlle coordlnaLed dlsclosure ls more deslrable
from Lhe securlLy perspecLlve, Lhe LhreaL of full dlsclosure helps Lo moLlvaLe sofLware
vendors LhaL are noL responslve or LhaL fall Lo acL on lnformaLlon abouL
vulnerablllLles ln Lhelr producLs. lurLher, full dlsclosure ls a vlable opLlon for
vulnerablllLles dlscovered ln sofLware LhaL ls no longer supporLed by a vendor, or
where Lhe vendor no longer exlsLs.
(<3 (.<2/189=
%8;;123 *2>.5?7/1.2
1he flnder sells Lhe lnformaLlon elLher dlrecLly or Lhrough a broker. Lxamples of
Lyplcal buyers lnclude:
cybet ctlmlools who use Lhe lnformaLlon for aLLacks.
5ecotlty compooles LhaL coordlnaLe wlLh affecLed vendors (whlle provldlng
ahead of Lhe LhreaL" proLecLlon ln Lhelr producLs).
Covetomeot oqeocles LhaL use Lhe lnformaLlon Lo proLecL Lhelr counLrles or Lo
aLLack oLher counLrles.
An lncreaslng number of softwote veoJots offer bounLles ln exchange for
reporLlng producL vulnerablllLles dlrecLly Lo Lhem.
An lncreaslng number of speclollzeJ compooles research vulnerablllLles wlLh Lhe
sole purpose of selllng Lhem or Lhelr derlved explolLs Lo lnLeresLed parLles.
Clearly, Lhere are a number of ways for vulnerablllLy lnformaLlon Lo be made avallable only Lo prlvlleged groups
(excludlng Lhe vendor or users of Lhe affecLed sofLware) and posslbly for exLended perlods of Llme.
Such groups range from lone hackers and cyber crlmlnals Lo governmenL agencles LhaL wlll wanL Lo Lake advanLage
of Lhelr excluslve knowledge of Lhe vulnerablllLy and Lhus wlll have no deslre Lo make Lhe lnformaLlon publlc.
ln order Lo assess and quanLlfy Lhe rlsk of Lhe known unknowns", nSS analyzed daLa from Lwo well-known
vulnerablllLy purchase programs (vs).
nSS Labs AnalysL 8rlef - 1he known unknowns

8
Vu|nerab|||ty urchase rograms (Vs)
1radlLlonally, Lhe prlmary players ln Lhe commerclal vulnerablllLy markeL have been luefense, whlch sLarLed lLs
vulnerablllLy ConLrlbuLor rogram (vC)
3
ln 2002 and 1lpplngolnL, whlch sLarLed lLs Zero uay lnlLlaLlve (Zul)
4
ln
2003. 8oLh vendors publlcly adverLlse Lhelr vulnerablllLy handllng servlces and pollcles. WlLh vs, lL ls a challenge
for Lhe sellers Lo demonsLraLe and Lhe buyers Lo ensure LhaL Lhere ls no mallclous lnLenL. 1he vC and Zul
programs Lyplcally purchase vulnerablllLy lnformaLlon Lo proLecL cusLomers before a vulnerablllLy becomes publlc
knowledge, subsequenLly lnformlng Lhe vendor of Lhe affecLed sofLware. 1he vC and Zul programs adverLlse Lhelr
eLhlcs and requesL LhaL securlLy researchers accepL lower compensaLlon wlLh Lhe assurance LhaL Lhe lnformaLlon
wlll be used for benevolenL purposes.
upon publlcaLlon of a purchased vulnerablllLy, boLh programs provlde deLalled Lechnlcal lnformaLlon on Lhe
vulnerablllLy and on Lhe Llmellne from lLs lnlLlal purchase Lhrough publlcaLlon. 1hls lnformaLlon allows for an
esLlmaLe of Lhe pre-dlsclosure rlsk and allows for quanLlflcaLlon of Lhe known unknowns." 1he vC and Zul
programs LogeLher purchased 2,392 vulnerablllLles from Lhelr launches up unLll SepLember 23, 2013. llgure 2
deplcLs Lhe yearly volume of vulnerablllLles publlshed by Lhe vC and Zul programs LogeLher wlLh Lhe average Llme
from purchase Lo dlscovery of Lhese vulnerablllLles for Lhe years 2002 Lo 2012. llgure 3 llsLs Lhe key aggregaLes of
Lhese Lwo programs.

I|gure 2 - VC And 2DI Vu|nerab|||ty D|sc|osures And Average re-D|sc|osure 1|me Cf Vu|nerab|||t|es In Days


3
hLLp://www.verlslgnlnc.com/en_uS/producLs-and-servlces/neLwork-lnLelllgence-avallablllLy/ldefense
4
hLLp://www.zerodaylnlLlaLlve.com
0
30
100
130
200
230
300
330
400
430
300
2000 2002 2004 2006 2008 2010 2012 2014
ear
ulsclosures
Avg. uays
nSS Labs AnalysL 8rlef - 1he known unknowns

9
rogram rogram 1ota| 1argeted 1|me 1o
Incept|on urchases Vendors D|sc|osure
luefense vC 2002 969 193 133 days
1lpplngolnL Zul 2003 1,423 92 174 days
I|gure 3 - 1ota| urchases, Affected Software Vendors, And Average 1|me Irom urchase 1o ub||cat|on
lL ls slgnlflcanL LhaL Lhe average Llme from voloetoblllty potcbose Lo pobllc Jlsclosote ls 133 days for vC and 174
days for Zul. 1hls ls a lengLhy perlod of Llme for a process of coordlnaLed dlsclosure, parLlcularly when conslderlng
LhaL an affecLed vendor would be moLlvaLed Lo release a paLch as qulckly as posslble. lL ls clear LhaL vulnerablllLles
acqulred by cyber crlmlnals or by governmenL agencles (wlLh an lnLeresL ln keeplng Lhe lnformaLlon prlvaLe)
remaln unknown Lo Lhe publlc for exLended perlods of Llme. ln facL, SymanLec found Lhe average zero-day aLLack
perslsLs for almosL a full year - 312 days - before lL ls deLecLed.
3

8oLh Lhe vC and Lhe Zul programs do noL purchase all vulnerablllLles offered, Lhey prlorlLlze based on Lype,
crlLlcallLy, and LargeLed sofLware/vendor, ln order Lo allgn expendlLures wlLh Lhelr buslness ob[ecLlves. 1hus, Lhe
ma[orlLy of vulnerablllLles purchased are raLed as hlghly crlLlcal and LargeL prevalenL sofLware producLs. llgure 4
llsLs Lhe sofLware vendors for whlch boLh programs have purchased aL leasL 10 vulnerablllLles wlLhln Lhe pasL
decade. vulnerablllLles ln Lhe producLs of Lhese wldely recognlzed vendors pose a slgnlflcanL rlsk Lo enLerprlses and
Lo socleLy as a whole.


3
Zero-uay World - hLLp://www.symanLec.com/connecL/blogs/zero-day-world
nSS Labs AnalysL 8rlef - 1he known unknowns

10
Vendor 1ota| urchases Days Vendor
# Affected VC 2DI VC+2DI r|vate Share
1 MlcrosofL 133 237 390 181 14
2 Apple 38 171 209 129 10
3 P 17 137 174 233 19
4 Adobe 39 102 161 119 17
3 Cracle 29 114 143 166 8
6 novell 30 112 142 142 10
7 l8M 38 67 123 226 8
8 8ealneLworks 19 73 92 262 49
9 Sun 34 26 60 139 3
10 SymanLec 20 39 39 198 18
11 Mozllla 8 31 39 80 3
12 CA 23 30 33 131 29
13 LMC 11 33 46 131 38
14 Clsco 10 20 30 229 2
13 WebklL 13 14 27 138 3
16 1rend Mlcro 13 10 23 94 24
17 Samba 9 14 23 63 28
18 lpswlLch 13 8 23 38 23
19 SA 4 10 14 143 13
1ota| S6S 1290 18SS
Average 1S3 17
I|gure 4 - Software Vendors Ior Wh|ch VC And 2DI urchased Vu|nerab|||t|es In 1he Last 10 ears
(W|th Average re-D|sc|osure 1|me And Share Cf 1he urchases Cn A|| Vu|nerab|||t|es Cf G|ven Vendor)
1he average pre-dlsclosure Llme for Lhese vendors agaln ls conslderable: 133 days, or flve monLhs, over Lhe pasL 10
years. lurLher, llgure 4 reveals LhaL Lhe vC and Zul programs LogeLher feed a remarkable number of
vulnerablllLles Lo Lhe affecLed sofLware vendors. lor example, 14 percenL of all MlcrosofL vulnerablllLles, 10
percenL of all Apple vulnerablllLles, and 17 percenL of all Adobe vulnerablllLles publlshed ln Lhe pasL 10 years were
reporLed Lo Lhe sofLware vendor Lhrough Lhe vC or Zul programs. 1hese numbers demonsLraLe LhaL vs aLLracL
a conslderable share of Lhe vulnerablllLles of a glven sofLware vendor, desplLe Lhe facL LhaL Lhe v raLes are
conslderably lower Lhan Lhose offered by Lhe black markeL.
ln order Lo quanLlfy Lhe known unknowns," Lhe followlng secLlons furLher explore Lhe aggregaLe sLaLlsLlcs of Lhe
vulnerablllLles purchased by vC and Zul programs and of Lhelr LargeLed vendors."
1he known Unknowns
Cver Lhe pasL 12 monLhs, Lhere have been reporLs regardlng changes wlLhln and expanslon of Lhe vulnerablllLy and
explolL markeLs. new enLranLs Lo Lhe vulnerablllLy or explolL markeLs, as well as exlsLlng companles, have recelved
conslderable medla aLLenLlon, elLher because of Lhelr flndlngs or because Lhey have won hlghly-publlclzed hacklng
conLesLs. lL has long been accepLed LhaL cyber crlmlnals operaLe wlLh prlvlleged vulnerablllLy lnformaLlon,
however, Lhe SLuxneL aLLack ln 2010 and oLher more recenL revelaLlons have exposed Lo a wlder audlence Lhe
exlsLence and operaLlons of suppllers of crlLlcal vulnerablllLy lnformaLlon, and also of governmenL-sponsored
programs. uurlng Lhe pre-dlsclosure phase, Lhese groups have excluslve access Lo crlLlcal lnformaLlon, whlch would
allow for Lhe compromlse of all vulnerable sysLems wlLhouL Lhe publlc ever belng aware of Lhe LhreaL.
nSS Labs AnalysL 8rlef - 1he known unknowns

11
1hese prlvaLely known vulnerablllLles are Lhe known unknowns," as deplcLed ln llgure 3: A vulnerablllLy ls known
Lo exlsL and Lo pose a securlLy LhreaL, buL Lhe publlc does noL know abouL lL Lherefore cannoL assess or remedlaLe
Lhe rlsk.

I|gure S - 1he known Unknowns In Informat|on Secur|ty
uant|f|cat|on And Lxposure 1|me
uue Lo Lhe lnaccesslblllLy, prlvacy, or unavallablllLy of daLa, only cerLaln aspecLs of Lhe known unknowns" can be
measured wlLh Lhe lnformaLlon LhaL ls publlcly avallable. lL ls unllkely LhaL cyber crlmlnals or governmenL agencles
wlll ever share daLa abouL Lhelr operaLlons, and sofLware manufacLurers are relucLanL Lo publlsh daLa abouL Lhelr
lnLernal processes for managlng vulnerablllLles. Powever, Lhe emplrlcal daLa presenLed ln Lhe prevlous secLlon
provldes valuable lnslghL, lncludlng a mlnlmum esLlmaLe of Lhe amounL of known unknowns" LhaL users are
exposed Lo, as well as Lhe lengLh of Llme durlng whlch Lhey are exposed.
1he number of vulnerablllLles known excluslvely Lo Lhese programs can be calculaLed for each day slnce 2002. lor
example, on AugusL 1 2012:
vC had 20 purchased, buL noL yeL publlshed, vulnerablllLles ln lLs processlng queue
Zul had 93 purchased, buL noL yeL publlshed, vulnerablllLles ln lLs processlng queue
llgure 7 ploLs Lhe number of vulnerablllLles known excluslvely by Lhe vC and Zul programs for every day slnce
2002. 1he darkly shaded area deplcLs Lhe subseL of vulnerablllLles affecLlng only MlcrosofL, Apple, Cracle, Sun, and
Adobe producLs . llgure 6 llsLs average numbers for 2010, 2011, and 2012.
1argeted Vendors Vu|nerab|||t|es 1|me to D|sc|osure known Unknowns
2010, 2011, and 2012 average ln days average per day
All vendors 1,026 187 132
MlcrosofL, Apple, Cracle, Sun, Adobe 432 131 38
I|gure 6 - Summary Cf 1he known Unknowns Ior 2010 - 2012
nSS Labs AnalysL 8rlef - 1he known unknowns

12
lrom 2010 Lo 2012, Lhe vC and Zul programs LogeLher publlshed 1,026 vulnerablllLles, of whlch 423 (44 percenL)
LargeL MlcrosofL, Apple, Cracle, Sun, and Adobe producLs. 1he average Llme from purchase Lo publlcaLlon ls 187
days (or 131 days for Lhe flve vendors). Cn any glven day durlng Lhese Lhree years, Lhe vC and Zul programs
possessed 38 unpubllshed vulnerablllLles affecLlng Lhe flve vendors, or 132 vulnerablllLles ln LoLal. As no publlc
lnformaLlon ls avallable regardlng Lhe quanLlLy of vulnerablllLles possessed by cyber crlmlnals, dlfferenL brokers, or
governmenL agencles, Lhese numbers are consldered a mlnlmum esLlmaLe of Lhe LoLal number of prlvaLely known
vulnerablllLles exlsLlng on any glven day.

I|gure 7 - Number Cf Vu|nerab|||t|es known Cn|y 1o VC And 2DI Cn Any G|ven Day 8etween 2002 And 2013
llgure 7 lllusLraLes Lhe number of known unknowns" from !uly 2002 Lo lebruary 2013. ln SepLember 2006,
vulnerablllLles lncreased Lo more Lhan 100 per day, and ln mld-2012, Lhere was a slgnlflcanL decrease ln
vulnerablllLles followed by a qulck recovery.
1hls daLa reveals LhaL on any glven day over Lhe pasL Lhree years, Lhe vC and Zul programs have had excluslve
knowledge of 38 vulnerablllLles LargeLlng Lhe producLs of ma[or sofLware vendors. 1hls would have allowed Lhem
Lo aLLack mosL of Lhe prlvaLe and corporaLe users of Lhese sofLware producLs, and wlLh a hlgh probablllLy of
success, glven LhaL Lhe aLLacks were noL yeL known. Slnce Lhe vC and Zul programs use Lhls lnformaLlon only for
Lhe purpose of bulldlng beLLer proLecLlon for Lhelr cusLomers, and slnce Lhey share Lhe lnformaLlon wlLh Lhe
sofLware vendors ln order Lo develop and release paLches, Lhe overall rlsk ls comparaLlvely low. 1hls analysls,
however, clearly demonsLraLes LhaL crlLlcal vulnerablllLy lnformaLlon ls avallable ln slgnlflcanL quanLlLles for prlvaLe
groups, for exLended perlods and aL a relaLlvely low cosL.
Lxpand|ng 1he M|n|mum Lst|mate
lL ls nSS' bellef LhaL Lhe prevlous flgures represenL only a mlolmom estlmote of Lhe number of known unknowns"
and of Lhe amounL of Llme LhaL users are exposed Lo Lhem. Some of Lhe parLles lnvolved ln Lhe explolLaLlon of
vulnerablllLles have no deslre Lo coordlnaLe vulnerablllLy lnformaLlon wlLh Lhe affecLed vendors, poLenLlally uslng
Lhls lnformaLlon for offenslve operaLlons.
0
30
100
130
200
230
!
a
n
-
0
2

!
u
l
-
0
2

!
a
n
-
0
3

!
u
l
-
0
3

!
a
n
-
0
4

!
u
l
-
0
4

!
a
n
-
0
3

!
u
l
-
0
3

!
a
n
-
0
6

!
u
l
-
0
6

!
a
n
-
0
7

!
u
l
-
0
7

!
a
n
-
0
8

!
u
l
-
0
8

!
a
n
-
0
9

!
u
l
-
0
9

!
a
n
-
1
0

!
u
l
-
1
0

!
a
n
-
1
1

!
u
l
-
1
1

!
a
n
-
1
2

!
u
l
-
1
2

!
a
n
-
1
3

p
r
|
v
a
t
e

v
u
|
n
e
r
a
b
|
|
|
n
e
s

All vendors
1op-3 vendors
nSS Labs AnalysL 8rlef - 1he known unknowns

13
Interna| D|scovery 8y Software Vendor
SofLware vendors conducL lnLernal vulnerablllLy research elLher wlLh Lhelr lnLernal researchers or by conLracLlng
Lhlrd-parLy code revlews and assessmenLs. 1he flndlngs remaln lnLernal knowledge and Lhe sofLware vendor makes
Lhe declslons regardlng whlch vulnerablllLles wlll be remedlaLed and when Lhls remedlaLlon wlll occur. 1hls resulLs
ln a number of vulnerablllLles belng known only prlvaLely and remalnlng unpaLched for exLended perlods of Llme.
Such vulnerablllLles are ofLen sllenLly paLched ln new sofLware releases followlng Lhelr dlscovery. Such delayed and
sllenL paLchlng noL only exposes sofLware users Lo Lhe vulnerablllLles for exLended perlods of Llme, lL also denles
users Lhe opporLunlLy Lo perform lndependenL rlsk assessmenL or Lo Lake mlLlgaLlng acLlons. Cccaslonally, Lhese
vulnerablllLles LhaL are dlscovered lnLernally are laLer re-dlscovered by an lndependenL Lhlrd parLy LhaL wlll Lhen
coordlnaLe wlLh Lhe vendor. ln such cases Lhere wlll appear Lo be a LruncaLed delay beLween dlscovery" (by Lhe
second flnder) and paLch avallablllLy.
8ug 8ounty rograms 8y Software Vendor
Cver Lhe pasL few years, a growlng number of sofLware vendors have lnLroduced bug bounLy programs, ln whlch
flnders are compensaLed for reporLlng vulnerablllLles dlrecLly Lo Lhe sofLware vendors, raLher Lhan golng publlc
wlLh Lhe lnformaLlon or selllng lL on Lhe black markeL. 1he Mozllla loundaLlon was one of Lhe flrsL Lo lnLroduce a
bounLy program, and slnce Lhen Coogle, lacebook, ayal, and oLhers have followed. 1hls summer, MlcrosofL,
whlch has long reslsLed such a sysLem, lnLroduced lLs bug bounLy program.
Coogle pald approxlmaLely uSu $380,000 over Lhree years for 301 vulnerablllLles dlscovered ln Lhe Chrome
browser (= 28 percenL of Lhe paLched vulnerablllLles ln same perlod)
Mozllla pald approxlmaLely uSu $370,00 over Lhree years for 190 vulnerablllLles dlscovered ln lLs llrefox
browser (= 24 percenL of Lhe paLched vulnerablllLles ln same perlod)
lacebook has pald approxlmaLely uSu $1 mllllon slnce Lhe 2011 lncepLlon of lLs program
MlcrosofL has pald approxlmaLely uSu $100,000 slnce Lhe !une 2013 lncepLlon of lLs program for reporLlng
new explolLaLlon Lechnlques
8ecenL research has found such programs Lo be economlcally efflclenL, comparlng favorably Lo Lhe cosL of hlrlng
full-Llme securlLy researchers Lo locaLe bugs lnLernally.
6
8ug bounLy programs offered by sofLware vendors
generally beneflL securlLy as Lhey can aLLracL many vulnerablllLles LhaL mlghL oLherwlse be used offenslvely. A
sofLware vendor has less Llme Lo delay remedlaLlon of vulnerablllLles LhaL are reporLed Lhrough a bug bounLy
program Lhan lf Lhe vulnerablllLles had been dlscovered lnLernally.
8out|que Lxp|o|t rov|ders
1here ls an lncreaslng number of commerclal players LhaL offer zero-day explolLs for Lhelr subscrlbers. Such groups
do noL reveal Lhelr cllenLs, buL blg buyers reporLedly lnclude governmenL agencles. Lndgame SysLems, for example,
offered subscrlbers 23 zero-day explolLs per year for uSu $2.3 mllllon, accordlng Lo lLs lebruary 2010 prlce llsL.
7

Accordlng Lo a recenL arLlcle ln 1be New otk 1lmes, flrms such as vuLn (lrance), 8evuln (MalLa), neLragard,
Lndgame SysLems, and Lxodus lnLelllgence (uS) adverLlse LhaL Lhey sell knowledge of securlLy vulnerablllLles for

6
Ao mpltlcol 5toJy of voloetoblllty kewotJ ltoqtoms, hLLp://www.cs.berkeley.edu/~devdaLLa/papers/vrp-paper.pdf
7
cybet weopoos. 1be New Atms koce, hLLp://www.buslnessweek.com/magazlne/cyber-weapons-Lhe-new-arms-race-07212011.hLml
nSS Labs AnalysL 8rlef - 1he known unknowns

14
cyber esplonage.
8
1he average prlce lles beLween uSu $40,000 and uSu $160,000. AlLhough some flrms resLrlcL
Lhelr cllenLele, elLher based on counLry of orlgln or on declslons Lo sell Lo speclflc governmenLs only, Lhe ablllLy Lo
bypass Lhls resLrlcLlon Lhrough proxles seems enLlrely posslble for deLermlned cyber crlmlnals. 8ased on servlce
brochures and publlc reporLs, Lhese provlders can dellver aL leasL 100 excluslve explolLs per year (see Appendlx for
sources).
Governments & Defense Contractors
Long before Lhe advenL of Lhe lnLerneL, leadlng defense conLracLors (from all of Lhe Croup Cf 1wenLy [C20]
counLrles) used lnformaLlon warfare Lechnlques. Many of Lhese defense conLracLors have exLended Lhelr servlces
Lo lnclude cyber warfare" capablllLles and offerlng Lhese for sale Lo Lhelr long-sLandlng governmenL cusLomers.
uefense conLracLors generally avold medla aLLenLlon (unllke Lhe bouLlque explolLers), buL based on Lhelr resources
and on Lhelr currenL scale of recrulLmenL, Lhey serve a conslderable share of Lhe explolL markeL.
9
8ecenLly, lL was
revealed LhaL Lhe naLlonal SecurlLy Agency (nSA) plans Lo spend uSu $23 mllllon on explolL purchases Lhls year.
10

Clven Lhe average sLreeL prlce for zero-day explolLs, Lhls LranslaLes Lo more Lhan 100 explolLs. CounLrles such as
lsrael, 8rlLaln, 8ussla, lndla, and 8razll are some of Lhe blgger spenders.
8

Commerc|a| Secur|ty Consu|t|ng
A commerclally effecLlve way Lo acqulre zero-day explolLs ls Lhrough reverse englneerlng. Many large securlLy
consulLlng organlzaLlons employ Leams of hlghly skllled reverse englneers and can dellver explolLs for any sofLware
package. lnsLead of purchaslng explolLs on Lhe markeL, an organlzaLlon conLracLs wlLh a Leam of reverse englneers
LhaL lL deploys on-slLe Lo locaLe and weaponlze vulnerablllLles ln speclfled sofLware producLs.
9
AL Lhe end of Lhe
engagemenL, Lhe vulnerablllLles, explolLs, and reporLs belong excluslvely Lo Lhe cllenL. Pow Lhe cllenL chooses Lo
use Lhls lnformaLlon ls enLlrely lLs buslness.
Lxp|o|t 8rokers
Speclallzed, well-connecLed brokers offer Lo connecL buyers and sellers for a percenLage of Lhe LransacLlon prlce.
1rades are assumed Lo be excluslve, and Lhe vendor ls noL lnformed abouL Lhe affecLed sofLware. Some fees are
pald ln lnsLallmenLs over perlods of Llme ln order Lo ensure LhaL Lhe seller of Lhe vulnerablllLy does noL also sell Lhe
vulnerablllLy Lo oLher lnLeresLed parLles, Lhus lncreaslng Lhe rlsk of Lhe lnformaLlon leaklng Lo Lhe affecLed sofLware
vendor. 8rokers package explolLs for sale Lo buyers and, much llke selllng commerclal sofLware, Lhe explolLs are
professlonally markeLed and lnclude documenLaLlon and supporL. ln Lhe pasL year, Lhls markeL has exploded, wlLh
more buyers emerglng and wlLh Lhese buyers wllllng Lo pay hlgher prlces.
11


8
Notloos 8oyloq os nockets 5ell llows lo compotet coJe," New otk 1lmes, !uly 13, 2013
hLLp://www.nyLlmes.com/2013/07/14/world/europe/naLlons-buylng-as-hackers-sell-compuLer-flaws.hLml
9
1be 8osloess Of commetclol xplolt uevelopmeot," uotkkeoJloq, november 20, 2013
hLLp://www.darkreadlng.com/hacked-off/Lhe-buslness-of-commerclal-explolL-devel/240142392
10
1be N5A bocks otbet cooottles by boyloq mlllloos of Jollots wottb of compotet voloetobllltles," wosbloqtoo lost, AugusL 31, 2013
hLLp://www.washlngLonposL.com/blogs/Lhe-swlLch/wp/2013/08/31/Lhe-nsa-hacks-oLher-counLrles-by-buylng-mllllons-of-dollars-worLh-of-
compuLer-vulnerablllLles
11
5bopploq lot 2eto-uoys. A ltlce llst lot nockets' 5ectet 5oftwote xplolts," lotbes, March 23,2012
hLLp://www.forbes.com/slLes/andygreenberg/2012/03/23/shopplng-for-zero-days-an-prlce-llsL-for-hackers-secreL-sofLware-explolLs
nSS Labs AnalysL 8rlef - 1he known unknowns

13
Connect|ng 1he Dots
As Lhe analysls shows, on any glven day for Lhe pasL Lhree years, Lhe vC and Zul programs have had prlvaLe
knowledge of aL leasL 38 vulnerablllLles LargeLlng MlcrosofL, Apple, Cracle, Sun, or Adobe, or of 132 vulnerablllLles
LargeLlng Lhe 19 vendors for whlch elLher program purchased more Lhan 10 vulnerablllLles. Clven Lhe average rlsk
raLlngs, lL can be reasonably assumed LhaL a conslderable number of Lhese vulnerablllLles are explolLable.
lnformaLlon on Lhese vulnerablllLles ls coordlnaLed wlLh Lhe affecLed sofLware vendors.
Add Lo Lhls Lhe number of vulnerablllLles/explolLs LhaL are noL publlcly Lraded or dlscovered and LhaL are
deflnlLlvely noL coordlnaLed wlLh Lhe sofLware vendor. 1ogeLher, Lhe bouLlque explolL provlders menLloned
prevlously are able Lo offer ln excess of 100 explolLs per year. Assumlng an average of 312 days
3
before a zero-day
explolL ls publlcly dlscovered resulLs ln aL leasL anoLher 83 explolLs prlvaLely known on any glven day.
Clven Lhe nSA budgeL of uSu $23 mllllon for Lhe purchase of explolLs ln 2013 and glven LhaL Lhe documenLed prlce
of an explolL ranges from uSu $40,000 Lo uSu $230,000, lL can be assumed LhaL Lhls wlll resulL ln aL leasL anoLher
100 Lo 623 explolLs per year
11
- or 86 Lo 341 known unknowns on any glven day, provlded Lhe markeL can saLlsfy
Lhe demand.
Slnce Lhere ls no rellable lnformaLlon Lo furLher quanLlfy known unknowns" LhaL are ln Lhe hands of cyber
crlmlnals or LhaL are prlvaLely developed Lhrough consulLlng conLracLs, Lhe asserLlon LhaL Lhere are 100 explolLs
avallable Lo prlvlleged groups on any glven day musL be consldered a reasonable mlnlmum esLlmaLe of Lhe known
unknowns."
lL ls safe Lo assume LhaL cyber crlmlnals and governmenL agencles prlmarlly purchase vulnerablllLles and explolLs
LhaL LargeL prevalenL producLs from ma[or vendors. 1herefore, Lhese known unknowns" pose a real and presenL
LhreaL Lo Lhe securlLy of corporaLe and prlvaLe sofLware users.
1he sLaLlsLlcs presenLed ln Lhls brlef do noL lnclude vulnerablllLles ln onllne servlces such as lacebook, 1wlLLer,
Coogle, e-8ay, and Salesforce. As more sofLware becomes avallable as onllne servlces, l.e., sofLware as a servlce
(SAAS), Lhere wlll be lncreased rlsk.
nSS Labs AnalysL 8rlef - 1he known unknowns

16
Appendlx
Vu|nerab|||ty L|fe Cyc|e Lvents
Analysls and emplrlcal daLa on Lhe sequence of Lhese evenLs can be found here.
12

vulnerablllLy CreaLlon vulnerablllLles Lyplcally are Lhe resulL of a codlng error. lf Lhe vulnerablllLy remalns
undeLecLed LhroughouL Lhe developmenL and LesLlng phases, lL wlll be lncluded ln Lhe
code LhaL ls released publlcally. 1he exacL Llme LhaL a vulnerablllLy ls creaLed ls by
deflnlLlon Lyplcally unknown, lL may, however, be reLrospecLlvely deLermlned, l.e.,
once lL has been dlscovered or dlsclosed. lf a vulnerablllLy ls mallclous and Lhus
lnLenLlonally creaLed, dlscovery and creaLlon Llme colnclde.
vulnerablllLy ulscovery 1he Llme of dlscovery ls Lhe earllesL Llme LhaL a sofLware vulnerablllLy ls recognlzed as
poslng a securlLy rlsk. vulnerablllLles do exlsL before Lhey are dlscovered, buL prlor Lo
Lhe dlscovery of Lhe vulnerablllLy, Lhe underlylng defecL ls noL recognlzed as a
securlLy rlsk. usually Lhe Llme of dlscovery ls noL publlcly known unLll afLer Lhe
vulnerablllLy's dlsclosure, lf aL all.
LxplolL AvallablllLy An explolL ls a plece of sofLware, seL of daLa, or sequence of commands LhaL Lakes
advanLage of a vulnerablllLy ln order Lo cause unlnLended or unanLlclpaLed behavlor
Lo occur ln Lhe LargeLed sofLware. LxplolLs for vulnerablllLles LhaL are noL yeL known
publlcly are known as zero-day explolLs, or 0-days."
vulnerablllLy ulsclosure 1he Llme aL whlch lnformaLlon abouL a vulnerablllLy ls made freely avallable, and ln
an undersLandable formaL, Lo Lhe general publlc. lrom a securlLy perspecLlve, only
free and publlc dlsclosure of vulnerablllLy lnformaLlon can ensure LhaL all lnLeresLed,
affecLed, or concerned parLles recelve Lhe relevanL securlLy lnformaLlon.
aLch AvallablllLy 1he earllesL Llme LhaL Lhe sofLware vendor releases a paLch LhaL can provlde
proLecLlon agalnsL Lhe explolLaLlon of Lhe vulnerablllLy. SofLware vendors cannoL
make securlLy paLches avallable lnsLanLly upon Lhe dlscovery of new vulnerablllLles or
explolLs. Whlle some vendors publlsh paLches as soon as Lhey are avallable, oLhers
publlsh paLches on a predeflned schedule for plannlng purposes.


12
MoJelloq tbe 5ecotlty cosystem - hLLp://www.Lechzoom.neL/papers/wels_securlLy_ecosysLem_2009.pdf
nSS Labs AnalysL 8rlef - 1he known unknowns

17
1he M|crosoft Approach 1o Coord|nated Vu|nerab|||ty D|sc|osure
uoJet tbe ptloclple of cootJlooteJ voloetoblllty ulsclosote, floJets Jlsclose oewly JlscoveteJ voloetobllltles lo
botJwote, softwote, ooJ setvlces Jltectly to tbe veoJots of tbe offecteJ ptoJoct, to o ootloool ck1 ot otbet
cootJlootot wbo wlll tepott to tbe veoJot ptlvotely, ot to o ptlvote setvlce tbot wlll llkewlse tepott to tbe veoJot
ptlvotely. 1be floJet ollows tbe veoJot tbe oppottoolty to Jloqoose ooJ offet folly testeJ opJotes, wotkotoooJs, ot
otbet cottectlve meosotes befote ooy potty Jlscloses JetolleJ voloetoblllty ot explolt lofotmotloo to tbe pobllc. 1be
veoJot cootlooes to cootJloote wltb tbe floJet tbtooqboot tbe voloetoblllty lovestlqotloo ooJ ptovlJes tbe floJet
wltb opJotes oo cose ptoqtess. upoo teleose of oo opJote, tbe veoJot moy tecoqolze tbe floJet lo bolletlos ot
oJvlsotles fot floJloq ooJ ptlvotely tepottloq tbe lssoe. lf ottocks ote ooJetwoy lo tbe wllJ, ooJ tbe veoJot ls stlll
wotkloq oo tbe opJote, tbeo botb tbe floJet ooJ veoJot wotk toqetbet os closely os posslble to ptovlJe eotly pobllc
voloetoblllty Jlsclosote to ptotect costomets. 1be olm ls to ptovlJe tlmely ooJ cooslsteot qolJooce to costomets to
ptotect tbemselves.
1J

Lxp|o|t Cffer|ngs
Mlnlmum esLlmaLe of explolLs offered by bouLlque explolL provlders
rov|der Cffer|ng kemark ] Source
Lndgame SysLems 23 explolLs/year
uSu $2.3 mllllon
8osloess week
hLLp://www.buslnessweek.com/magazlne/cyber-weapons-Lhe-
new-arms-race-07212011.hLml
Lxodus lnLelllgence 60 explolLs/year Servlce Cfferlng
hLLps://www.exoduslnLel.com/rsrc/LxoduslnLelllgence_Lx.pdf
8evuln > 9 explolLs/year Mlnlmum esLlmaLe by counLlng explolLs demonsLraLed here:
hLLp://vlmeo.com/33806381 (2013-09-27)
vuLn > 7 explolLs/year
> 13 Lo 20 blnary
analysls and prlvaLe 1-
day explolLs/monLh
Mlnlmum esLlmaLe by counLlng llsL of publlshed explolLs here:
hLLp://www.vupen.com/blog/ (2013-09-27)
Servlce Cfferlng:
hLLp://www.vupen.com/engllsh/servlces/ba-gov.php


13
hLLp://www.mlcrosofL.com/securlLy/msrc/reporL/dlsclosure.aspx#
nSS Labs AnalysL 8rlef - 1he known unknowns

18
8eadlng LlsL
1be 1otqeteJ letslsteot Attock (1lA) - 1be MlsooJetstooJ 5ecotlty 1bteot vety otetptlse loces. nSS Labs
hLLps://www.nsslabs.com/reporLs/LargeLed-perslsLenL-aLLack-Lpa-mlsundersLood-securlLy-LhreaL-every-enLerprlse-
faces
1op 20 8est ltoctlces 1o nelp keJoce 1be 1bteot Of 1be 1otqeteJ letslsteot Attock. nSS Labs
hLLps://www.nsslabs.com/reporLs/Lop-20-besL-pracLlces-help-reduce-LhreaL-LargeLed-perslsLenL-aLLack
cottelotloo Of uetectloo lollotes. nSS Labs
hLLps://www.nsslabs.com/sysLem/flles/publlc-reporL/flles/CorrelaLlon20Cf20ueLecLlon20lallures.pdf

nSS Labs AnalysL 8rlef - 1he known unknowns

19
2013 nSS Labs, lnc. All rlghLs reserved. no parL of Lhls publlcaLlon may be reproduced, phoLocopled, sLored on a reLrleval
sysLem, or LransmlLLed wlLhouL Lhe express wrlLLen consenL of Lhe auLhors.
lease noLe LhaL access Lo or use of Lhls reporL ls condlLloned on Lhe followlng:
1. 1he lnformaLlon ln Lhls reporL ls sub[ecL Lo change by nSS Labs wlLhouL noLlce.
2. 1he lnformaLlon ln Lhls reporL ls belleved by nSS Labs Lo be accuraLe and rellable aL Lhe Llme of publlcaLlon, buL ls noL
guaranLeed. All use of and rellance on Lhls reporL are aL Lhe reader's sole rlsk. nSS Labs ls noL llable or responslble for any
damages, losses, or expenses arlslng from any error or omlsslon ln Lhls reporL.
3. nC WA88An1lLS, Lx8LSS C8 lMLlLu A8L ClvLn 8? nSS LA8S. ALL lMLlLu WA88An1lLS, lnCLuulnC lMLlLu
WA88An1lLS Cl ML8CPAn1A8lLl1?, ll1nLSS lC8 A A81lCuLA8 u8CSL, Anu nCn-lnl8lnCLMLn1 A8L ulSCLAlMLu Anu
LxCLuuLu 8? nSS LA8S. ln nC LvLn1 SPALL nSS LA8S 8L LlA8LL lC8 An? CCnSLCuLn1lAL, lnCluLn1AL C8 lnul8LC1
uAMACLS, C8 lC8 An? LCSS Cl 8Cll1, 8LvLnuL, uA1A, CCMu1L8 8CC8AMS, C8 C1PL8 ASSL1S, LvLn ll AuvlSLu Cl 1PL
CSSl8lLl1? 1PL8LCl.
4. 1hls reporL does noL consLlLuLe an endorsemenL, recommendaLlon, or guaranLee of any of Lhe producLs (hardware or
sofLware) LesLed or Lhe hardware and sofLware used ln LesLlng Lhe producLs. 1he LesLlng does noL guaranLee LhaL Lhere are no
errors or defecLs ln Lhe producLs or LhaL Lhe producLs wlll meeL Lhe reader's expecLaLlons, requlremenLs, needs, or
speclflcaLlons, or LhaL Lhey wlll operaLe wlLhouL lnLerrupLlon.
3. 1hls reporL does noL lmply any endorsemenL, sponsorshlp, afflllaLlon, or verlflcaLlon by or wlLh any organlzaLlons menLloned
ln Lhls reporL.
6. All Lrademarks, servlce marks, and Lrade names used ln Lhls reporL are Lhe Lrademarks, servlce marks, and Lrade names of
Lhelr respecLlve owners.
ConLacL lnformaLlon
nSS Labs, lnc.
206 Wlld 8asln 8d
8ulldlng A, SulLe 200
AusLln, 1x 78746 uSA
+1 (312) 961-3300
lnfo[nsslabs.com
www.nsslabs.com


1bls ooolyst btlef wos ptoJoceJ os pott of N55 lobs loJepeoJeot testloq lofotmotloo setvlces. leoJloq ptoJocts
wete testeJ ot oo cost to tbe veoJot, ooJ N55 lobs tecelveJ oo veoJot fooJloq to ptoJoce tbls ooolyst btlef.