Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Zero-day vulnerability
open-in-new
<h2 id="definition">Definition</h2> <p>Despite developers' goal of delivering a product that works entirely as intended, virtually all <a href="/facts/Software_bug/I1uSXySv">software</a> and <a href="/facts/Hardware_bug/dsCVKPmN">hardware</a> contain bugs.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> If a bug creates a security risk, it is called a <a href="/facts/Vulnerability_(computer_security)/jg0Gr71M">vulnerability</a>. Vulnerabilities vary in their ability to be <a href="/facts/Exploit_(computer_security)/EdlqsRJM">exploited</a> by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a <a href="/facts/Denial_of_service_attack/6nkoK02J">denial of service attack</a>. The most valuable allow the attacker to <a href="/facts/Code_injection/6gPRDpd1">inject</a> and run their own code, without the user being aware of it.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> Although the term "zero-day" initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no <a href="/facts/Software_patch/sIHVBPls">patch</a> or other fix is available.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a><a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a><a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> A zero-day exploit is any exploit that takes advantage of such a vulnerability.<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> </p> <h2 id="exploits">Exploits</h2> <p>An <a href="/facts/Exploit_(computer_security)/EdlqsRJM">exploit</a> is the delivery mechanism that takes advantage of the vulnerability to penetrate the target's systems, for such purposes as disrupting operations, installing <a href="/facts/Malware/5ee7TLFR">malware</a>, or <a href="/facts/Data_breach/xGxRFY1A">exfiltrating data</a>.<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> Researchers Lillian Ablon and Andy Bogart write that "little is known about the true extent, use, benefit, and harm of zero-day exploits".<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> Exploits based on zero-day vulnerabilities are considered more dangerous than those that take advantage of a known vulnerability.<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a><a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a> However, it is likely that most cyberattacks use known vulnerabilities, not zero-days.<a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a> </p><p>Governments of states are the primary users of zero-day exploits, not only because of the high cost of finding or buying vulnerabilities, but also the significant cost of writing the attack software. Nevertheless, anyone can use a vulnerability,<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a> and according to research by the <a href="/facts/RAND_Corporation/zArfRxf9">RAND Corporation</a>, "any serious attacker can always get an affordable zero-day for almost any target".<a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a> Many targeted attacks<a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a> and most <a href="/facts/Advanced_persistent_threat/cc8jXB2F">advanced persistent threats</a> rely on zero-day vulnerabilities.<a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a> </p><p>The average time to develop an exploit from a zero-day vulnerability was estimated at 22 days.<a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a> The difficulty of developing exploits has been increasing over time due to increased anti-exploitation features in popular software.<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a> </p> <h3>Window of vulnerability</h3> <p>Zero-day vulnerabilities are often classified as alive—meaning that there is no public knowledge of the vulnerability—and dead—the vulnerability has been disclosed, but not patched. If the software's maintainers are actively searching for vulnerabilities, it is a living vulnerability; such vulnerabilities in unmaintained software are called immortal. Zombie vulnerabilities can be exploited in older versions of the software but have been patched in newer versions.<a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a> </p><p>Even publicly known and zombie vulnerabilities are often exploitable for an extended period.<a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a><a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a> Security patches can take months to develop,<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a> or may never be developed.<a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a> A patch can have negative effects on the functionality of software<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> and users may need to <a href="/facts/Software_testing/VoXzG9Tb">test</a> the patch to confirm functionality and compatibility.<a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a> Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches.<a class="footnote-ref" id="fnref:31" href="#fn:31"><sup>31</sup></a> </p><p>Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.<a class="footnote-ref" id="fnref:32" href="#fn:32"><sup>32</sup></a> Cybercriminals can <a href="/facts/Reverse_engineer/pmJCV7J7">reverse engineer</a> the patch to find the underlying vulnerability and develop exploits,<a class="footnote-ref" id="fnref:33" href="#fn:33"><sup>33</sup></a> often faster than users install the patch.<a class="footnote-ref" id="fnref:34" href="#fn:34"><sup>34</sup></a> </p><p>According to research by <a href="/facts/RAND_Corporation/zArfRxf9">RAND Corporation</a> published in 2017, zero-day exploits remain usable for 6.9 years on average,<a class="footnote-ref" id="fnref:35" href="#fn:35"><sup>35</sup></a> although those purchased from a third party only remain usable for 1.4 years on average.<a class="footnote-ref" id="fnref:36" href="#fn:36"><sup>36</sup></a> The researchers were unable to determine if any particular platform or software (such as <a href="/facts/Open-source_software/HzTaB8E9">open-source software</a>) had any relationship to the life expectancy of a zero-day vulnerability.<a class="footnote-ref" id="fnref:37" href="#fn:37"><sup>37</sup></a> Although the RAND researchers found that 5.7 percent of a stockpile of secret zero-day vulnerabilities will have been discovered by someone else within a year,<a class="footnote-ref" id="fnref:38" href="#fn:38"><sup>38</sup></a> another study found a higher overlap rate, as high as 10.8 percent to 21.9 percent per year.<a class="footnote-ref" id="fnref:39" href="#fn:39"><sup>39</sup></a> </p> <h2 id="countermeasures">Countermeasures</h2> <p>Because, by definition, there is no patch that can block a zero-day exploit, all systems employing the software or hardware with the vulnerability are at risk. This includes secure systems such as banks and governments that have all patches up to date.<a class="footnote-ref" id="fnref:40" href="#fn:40"><sup>40</sup></a> Security systems are designed around known vulnerabilities, and repeated exploitations of a zero-day exploit could continue undetected for an extended period of time.<a class="footnote-ref" id="fnref:41" href="#fn:41"><sup>41</sup></a> Although there have been many proposals for a system that is effective at detecting zero-day exploits, this remains an active area of research in 2023.<a class="footnote-ref" id="fnref:42" href="#fn:42"><sup>42</sup></a> </p><p>Many organizations have adopted <a href="/facts/Defense-in-depth/2P70n6oB">defense-in-depth</a> tactics so that attacks are likely to require breaching multiple levels of security, which makes it more difficult to achieve.<a class="footnote-ref" id="fnref:43" href="#fn:43"><sup>43</sup></a> Conventional cybersecurity measures such as training and <a href="/facts/Access_control/08zE5Pz8">access control</a> such as <a href="/facts/Multi-factor_authentication/186gpx8R">multi-factor authentication</a>, <a href="/facts/Principle_of_least_privilege/sqsT4tln">least-privilege access</a>, and <a href="/facts/Air_gap_(networking)/1b2J4BJo">air-gapping</a> makes it harder to compromise systems with a zero-day exploit.<a class="footnote-ref" id="fnref:44" href="#fn:44"><sup>44</sup></a> Since writing perfectly secure software is impossible, some researchers argue that driving up the cost of exploits is a good strategy to reduce the burden of cyberattacks.<a class="footnote-ref" id="fnref:45" href="#fn:45"><sup>45</sup></a> </p> <h2 id="market">Market</h2> <p class="note">Main article: <a href="/facts/Market_for_zero-day_exploits/yFTFrlSj">Market for zero-day exploits</a></p> <p>Zero-day exploits can fetch millions of dollars.<a class="footnote-ref" id="fnref:46" href="#fn:46"><sup>46</sup></a> There are three main types of buyers:<a class="footnote-ref" id="fnref:47" href="#fn:47"><sup>47</sup></a> </p> <ul><li>White: the vendor, or to third parties such as the <a href="/facts/Zero_Day_Initiative/ztmT2AxF">Zero Day Initiative</a> that disclose to the vendor. Often such disclosure is in exchange for a <a href="/facts/Bug_bounty/KfyUbdlL">bug bounty</a>.<a class="footnote-ref" id="fnref:48" href="#fn:48"><sup>48</sup></a><a class="footnote-ref" id="fnref:49" href="#fn:49"><sup>49</sup></a><a class="footnote-ref" id="fnref:50" href="#fn:50"><sup>50</sup></a> Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead. It is not uncommon to receive <a href="/facts/Cease-and-desist/jG0jqxUz">cease-and-desist</a> letters from software vendors after disclosing a vulnerability for free.<a class="footnote-ref" id="fnref:51" href="#fn:51"><sup>51</sup></a></li> <li>Gray: the largest<a class="footnote-ref" id="fnref:52" href="#fn:52"><sup>52</sup></a> and most lucrative. Government or intelligence agencies buy zero-days and may use it in an attack, stockpile the vulnerability, or notify the vendor.<a class="footnote-ref" id="fnref:53" href="#fn:53"><sup>53</sup></a> The United States federal government is one of the largest buyers.<a class="footnote-ref" id="fnref:54" href="#fn:54"><sup>54</sup></a> As of 2013, the <a href="/facts/Five_Eyes/7lnSYxYh">Five Eyes</a> (United States, United Kingdom, Canada, Australia, and New Zealand) captured the plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran. Middle Eastern countries were poised to become the biggest spenders.<a class="footnote-ref" id="fnref:55" href="#fn:55"><sup>55</sup></a></li> <li>Black: organized crime, which typically prefers exploit software rather than just knowledge of a vulnerability.<a class="footnote-ref" id="fnref:56" href="#fn:56"><sup>56</sup></a> These users are more likely to employ "half-days" where a patch is already available.<a class="footnote-ref" id="fnref:57" href="#fn:57"><sup>57</sup></a></li></ul> <p>In 2015, the markets for government and crime were estimated at at least ten times larger than the white market.<a class="footnote-ref" id="fnref:58" href="#fn:58"><sup>58</sup></a> Sellers are often hacker groups that seek out vulnerabilities in widely used software for financial reward.<a class="footnote-ref" id="fnref:59" href="#fn:59"><sup>59</sup></a> Some will only sell to certain buyers, while others will sell to anyone.<a class="footnote-ref" id="fnref:60" href="#fn:60"><sup>60</sup></a> White market sellers are more likely to be motivated by non pecuniary rewards such as recognition and intellectual challenge.<a class="footnote-ref" id="fnref:61" href="#fn:61"><sup>61</sup></a> Selling zero-day exploits is legal.<a class="footnote-ref" id="fnref:62" href="#fn:62"><sup>62</sup></a><a class="footnote-ref" id="fnref:63" href="#fn:63"><sup>63</sup></a> Despite calls for more regulation, law professor Mailyn Fidler says there is little chance of an international agreement because key players such as Russia and Israel are not interested.<a class="footnote-ref" id="fnref:64" href="#fn:64"><sup>64</sup></a> </p><p>The sellers and buyers that trade in zero-days tend to be secretive, relying on <a href="/facts/Non-disclosure_agreement/3q1t9J05">non-disclosure agreements</a> and <a href="/facts/Classified_information/og7wn3tD">classified information</a> laws to keep the exploits secret. If the vulnerability becomes known, it can be patched and its value consequently crashes.<a class="footnote-ref" id="fnref:65" href="#fn:65"><sup>65</sup></a> Because the market lacks transparency, it can be hard for parties to find a fair price. Sellers might not be paid if the vulnerability was disclosed before it was verified, or if the buyer declined to purchase it but used it anyway. With the proliferation of middlemen, sellers could never know to what use the exploits could be put.<a class="footnote-ref" id="fnref:66" href="#fn:66"><sup>66</sup></a> Buyers could not guarantee that the exploit was not sold to another party.<a class="footnote-ref" id="fnref:67" href="#fn:67"><sup>67</sup></a> Both buyers and sellers advertise on the <a href="/facts/Dark_web/A40ffCpy">dark web</a>.<a class="footnote-ref" id="fnref:68" href="#fn:68"><sup>68</sup></a> </p> <p>Research published in 2022 based on maximum prices paid as quoted by a single exploit broker found a 44 percent annualized <a href="/facts/Inflation/YvKtKrVI">inflation</a> rate in exploit pricing. Remote zero-click exploits could fetch the highest price, while those that require local access to the device are much cheaper.<a class="footnote-ref" id="fnref:69" href="#fn:69"><sup>69</sup></a> Vulnerabilities in widely used software are also more expensive.<a class="footnote-ref" id="fnref:70" href="#fn:70"><sup>70</sup></a> They estimated that around 400 to 1,500 people sold exploits to that broker and they made around $5,500 to $20,800 annually.<a class="footnote-ref" id="fnref:71" href="#fn:71"><sup>71</sup></a> </p> <h2 id="disclosure-and-stockpiling">Disclosure and stockpiling</h2> <p>As of 2017, there is an ongoing debate as to whether the United States should disclose the vulnerabilities it is aware of, so that they can be patched, or keep them secret for its own use.<a class="footnote-ref" id="fnref:72" href="#fn:72"><sup>72</sup></a> Reasons that states keep a vulnerability secret include wanting to use it offensively, or defensively in <a href="/facts/Penetration_test/Jd7lFd4z">penetration testing</a>.<a class="footnote-ref" id="fnref:73" href="#fn:73"><sup>73</sup></a> Disclosing the vulnerability reduces the risk that consumers and all users of the software will be victimized by <a href="/facts/Malware/5ee7TLFR">malware</a> or <a href="/facts/Data_breach/xGxRFY1A">data breaches</a>.<a class="footnote-ref" id="fnref:74" href="#fn:74"><sup>74</sup></a> </p><p>The phases of zero-day vulnerability disclosure, along with a typical timeline, are as follows: </p> <ol><li>Discovery: A researcher identifies the vulnerability, marking "Day 0."</li> <li>Reporting: The researcher notifies the vendor or a third party, starting remediation efforts.</li> <li>Patch development: The vendor develops a fix, which can take weeks to months depending on the complexity.</li> <li>Public disclosure: Once a patch is released, details are shared publicly. If no patch is issued within an agreed period (commonly 90 days), some researchers disclose it to push for action.</li></ol> <h2 id="history">History</h2> <p class="note">Further information: <a href="/facts/List_of_cyberattacks/ahKrI6Hw">List of cyberattacks</a> and <a href="/facts/2010s_global_surveillance_disclosures/FaqSXLnC">2010s global surveillance disclosures</a></p> <p>Zero-day exploits increased in significance after services such as Apple, Google, Facebook, and Microsoft encrypted servers and messages, meaning that the most feasible way to access a user's data was to intercept it at the source before it was encrypted.<a class="footnote-ref" id="fnref:75" href="#fn:75"><sup>75</sup></a> One of the best-known use of zero-day exploits was the <a href="/facts/Stuxnet/xa7gvYYF">Stuxnet</a> worm, which used four zero-day vulnerabilities to damage <a href="/facts/Iran%2527s_nuclear_program/NFCJJy84">Iran's nuclear program</a> in 2010.<a class="footnote-ref" id="fnref:76" href="#fn:76"><sup>76</sup></a> The worm showed what could be achieved by zero-day exploits, unleashing an expansion in the market.<a class="footnote-ref" id="fnref:77" href="#fn:77"><sup>77</sup></a> </p><p>The United States <a href="/facts/National_Security_Agency/Sg6MGV1o">National Security Agency</a> (NSA) increased its search for zero-day vulnerabilities after large tech companies refused to install <a href="/facts/Backdoor_(computing)/4Vry8CKE">backdoors</a> into the software, tasking the <a href="/facts/Tailored_Access_Operations/EfRh6wEF">Tailored Access Operations</a> (TAO) with discovering and purchasing zero-day exploits.<a class="footnote-ref" id="fnref:78" href="#fn:78"><sup>78</sup></a> In 2007, former NSA employee <a href="/facts/Charlie_Miller_(security_researcher)/er9QqyeL">Charlie Miller</a> publicly revealed for the first time that the United States government was buying zero-day exploits.<a class="footnote-ref" id="fnref:79" href="#fn:79"><sup>79</sup></a> Some information about the NSA involvement with zero-days was revealed in the documents leaked by NSA contractor <a href="/facts/Edward_Snowden/yRDLtpH9">Edward Snowden</a> in 2013, but details were lacking.<a class="footnote-ref" id="fnref:80" href="#fn:80"><sup>80</sup></a> Reporter Nicole Perlroth concluded that "either Snowden’s access as a contractor didn’t take him far enough into the government’s systems for the intel required, or some of the government’s sources and methods for acquiring zero-days were so confidential, or controversial, that the agency never dared put them in writing".<a class="footnote-ref" id="fnref:81" href="#fn:81"><sup>81</sup></a> </p><p>One of the most infamous vulnerabilities discovered after 2013, <a href="/facts/Heartbleed/pbIf0KDc">Heartbleed</a> (CVE-2014-0160), was not a zero-day when publicly disclosed but underscored the critical impact that <a href="/facts/Software_bug/I1uSXySv">software bugs</a> can have on global cybersecurity. This flaw in the <a href="/facts/OpenSSL/aXvs5fo2">OpenSSL</a> <a href="/facts/Cryptography/e94PEVau">cryptographic</a> library could have been exploited as a zero-day prior to its discovery, allowing attackers to steal sensitive information such as private keys and passwords.<a class="footnote-ref" id="fnref:82" href="#fn:82"><sup>82</sup></a> </p><p>In 2016 the <a href="/facts/Hacker/bhg519lj">hacking</a> group known as <a href="/facts/The_Shadow_Brokers/mytpjIqP">The Shadow Brokers</a> released a trove of sophisticated zero-day exploits reportedly stolen from the NSA. These included tools such as <a href="/facts/EternalBlue/FI8E9Juo">EternalBlue</a>, which leveraged a vulnerability in <a href="/facts/Microsoft_Windows/bwhAhuSL">Microsoft Windows</a>' <a href="/facts/Server_Message_Block/pWM35pl8">Server Message Block</a> (SMB) protocol. EternalBlue was later weaponized in high-profile attacks like <a href="/facts/WannaCry/zIvlf4jn">WannaCry</a> and <a href="/facts/NotPetya/Mp5nXSk6">NotPetya</a>, causing widespread global damage and highlighting the risks of stockpiling vulnerabilities.<a class="footnote-ref" id="fnref:83" href="#fn:83"><sup>83</sup></a> </p><p>The year 2020 saw one of the most sophisticated cyber espionage campaigns to date, in which attackers exploited multiple vulnerabilities, including zero-day vulnerabilities, to compromise <a href="/facts/SolarWinds/IXx2HlQl">SolarWinds</a>' Orion software. This allowed access to numerous government and corporate networks.<a class="footnote-ref" id="fnref:84" href="#fn:84"><sup>84</sup></a> </p><p>In 2021 Chinese state-sponsored group, <a href="/facts/Hafnium_(group)/WmvWI7ul">Hafnium</a>, exploited zero-day vulnerabilities in <a href="/facts/Microsoft_Exchange_Server/9pu8G4It">Microsoft Exchange Server</a> to conduct cyber espionage. Known as <a href="/facts/ProxyLogon/Pws7umsW">ProxyLogon</a>, these flaws allowed attackers to bypass authentication and execute arbitrary code, compromising thousands of systems globally.<a class="footnote-ref" id="fnref:85" href="#fn:85"><sup>85</sup></a> </p><p>In 2022 the spyware <a href="/facts/Pegasus_(spyware)/gfDBqYHX">Pegasus</a>, developed by <a href="/facts/Israel/dEe3IcaY">Israel</a>'s <a href="/facts/NSO_Group/e0wyTlTs">NSO Group</a>, was found to exploit zero-click vulnerabilities in messaging apps like <a href="/facts/IMessage/0oMKq4Xq">iMessage</a> and <a href="/facts/WhatsApp/VMlSeFb6">WhatsApp</a>. These exploits allowed attackers to access targets' devices without requiring user interaction, heightening concerns over surveillance and privacy.<a class="footnote-ref" id="fnref:86" href="#fn:86"><sup>86</sup></a> </p> <h2 id="sources">Sources</h2> <ul><li>Ablon, Lillian; Bogart, Andy (2017). <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf"><i>Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits</i></a> (PDF). Rand Corporation. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-8330-9761-3.</li> <li>Ahmad, Rasheed; Alsmadi, Izzat; Alhamdani, Wasim; Tawalbeh, Lo’ai (2023). <a href="https://link.springer.com/article/10.1007/s10462-023-10437-z">"Zero-day attack detection: a systematic literature review"</a>. <i>Artificial Intelligence Review</i>. 56 (10): 10733–10811. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1007%2Fs10462-023-10437-z">10.1007/s10462-023-10437-z</a>. <a href="/facts/ISSN_(identifier)/DPAflDvU">ISSN</a> <a href="https://search.worldcat.org/issn/1573-7462">1573-7462</a>.</li> <li>Bravo, Cesar; Kitchen, Darren (2022). <i>Mastering Defensive Security: Effective techniques to secure your Windows, Linux, IoT, and cloud infrastructure</i>. Packt Publishing. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-80020-609-0.</li> <li>Dellago, Matthias; Simpson, Andrew C.; Woods, Daniel W. (2022). "Exploit Brokers and Offensive Cyber Operations". <i>The Cyber Defense Review</i>. 7 (3): 31–48. <a href="/facts/ISSN_(identifier)/DPAflDvU">ISSN</a> <a href="https://search.worldcat.org/issn/2474-2120">2474-2120</a>. <a href="/facts/JSTOR_(identifier)/YTeVmaJ7">JSTOR</a> <a href="https://www.jstor.org/stable/48682321">48682321</a>.</li> <li>Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf"><i>The Defender's Dilemma: Charting a Course Toward Cybersecurity</i></a> (PDF). Rand Corporation. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-8330-8911-3.</li> <li>O'Harrow, Robert (2013). <i>Zero Day: The Threat In Cyberspace</i>. Diversion Books. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-938120-76-3.</li> <li>Perlroth, Nicole (2021). <i>This Is How They Tell Me the World Ends: The Cyberweapons Arms Race</i>. Bloomsbury Publishing. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-5266-2983-8.</li> <li>Sood, Aditya; Enbody, Richard (2014). <i>Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware</i>. Syngress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-12-800619-1.</li> <li>Strout, Benjamin (2023). <i>The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities</i>. Packt Publishing. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-80324-356-6.</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Guo, Mingyu; Wang, Guanhua; Hata, Hideaki; Babar, Muhammad Ali (2021-07-01). "Revenue maximizing markets for zero-day exploits". Autonomous Agents and Multi-Agent Systems. 35 (2): 36. arXiv:2006.14184. doi:10.1007/s10458-021-09522-w. ISSN 1387-2532. S2CID 254225904. <a href="https://link.springer.com/10.1007/s10458-021-09522-w" target="_blank">https://link.springer.com/10.1007/s10458-021-09522-w</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Compare: "What is a Zero-Day Vulnerability?". pctools. Symantec. Archived from the original on 2017-07-04. Retrieved 2016-01-20. A zero day vulnerability refers to an exploitable bug in software that is unknown to the vendor. This security hole may be exploited by crackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. <a href="https://web.archive.org/web/20170704035927/http://www.pctools.com/security-news/zero-day-vulnerability/" target="_blank">https://web.archive.org/web/20170704035927/http://www.pctools.com/security-news/zero-day-vulnerability/</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Zetter, Kim (Nov 11, 2014). "Hacker Lexicon: What Is a Zero Day?". Wired. <a href="https://www.wired.com/2014/11/what-is-a-zero-day/" target="_blank">https://www.wired.com/2014/11/what-is-a-zero-day/</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Where the term "Zero Day" comes from - mmmm". 2018-01-31. Archived from the original on 2018-01-31. Retrieved 2021-09-05. <a href="https://web.archive.org/web/20180131070511/http://markmaunder.com/2014/06/16/where-zero-day-comes-from/" target="_blank">https://web.archive.org/web/20180131070511/http://markmaunder.com/2014/06/16/where-zero-day-comes-from/</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"Flash Vulnerabilities Causing Problems". ESET. Archived from the original on March 4, 2016. Retrieved Mar 4, 2016. <a href="https://web.archive.org/web/20160304075159/http://www.eset.co.uk/Press-Centre/Blog/Article/flash-zero-day" target="_blank">https://web.archive.org/web/20160304075159/http://www.eset.co.uk/Press-Centre/Blog/Article/flash-zero-day</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>The Man Who Found Stuxnet – Sergey Ulasen in the Spotlight published on November 2, 2011 <a href="https://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/" target="_blank">https://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Ablon & Bogart 2017, p. 1. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Ablon & Bogart 2017, pp. iii, 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Sood & Enbody 2014, p. 1. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Perlroth 2021, p. 7. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Strout 2023, p. 23. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>Ablon & Bogart 2017, p. 3. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>Sood & Enbody 2014, p. 24. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>Bravo & Kitchen 2022, p. 11. - Bravo, Cesar; Kitchen, Darren (2022). Mastering Defensive Security: Effective techniques to secure your Windows, Linux, IoT, and cloud infrastructure. Packt Publishing. ISBN 978-1-80020-609-0. <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>Ablon & Bogart 2017, p. 3. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>Sood & Enbody 2014, p. 1. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>Ablon & Bogart 2017, p. xiv. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>Sood & Enbody 2014, pp. 2–3, 24. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>Sood & Enbody 2014, p. 4. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>Ablon & Bogart 2017, p. xiii. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>Perlroth 2021, p. 142. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>Ablon & Bogart 2017, p. xi. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>Ablon & Bogart 2017, p. 8. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>Strout 2023, p. 26. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>Libicki, Ablon & Webb 2015, p. 50. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> <li id="fn:31"><p>Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:31" class="footnote-back-ref">↩</a></p></li> <li id="fn:32"><p>Libicki, Ablon & Webb 2015, pp. 49–50. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:32" class="footnote-back-ref">↩</a></p></li> <li id="fn:33"><p>Strout 2023, p. 28. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:33" class="footnote-back-ref">↩</a></p></li> <li id="fn:34"><p>Libicki, Ablon & Webb 2015, pp. 49–50. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:34" class="footnote-back-ref">↩</a></p></li> <li id="fn:35"><p>Ablon & Bogart 2017, p. x. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:35" class="footnote-back-ref">↩</a></p></li> <li id="fn:36"><p>Ablon & Bogart 2017, p. xiii. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:36" class="footnote-back-ref">↩</a></p></li> <li id="fn:37"><p>Ablon & Bogart 2017, pp. xi–xii. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:37" class="footnote-back-ref">↩</a></p></li> <li id="fn:38"><p>Ablon & Bogart 2017, p. x: "For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been discovered by an outside entity." - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:38" class="footnote-back-ref">↩</a></p></li> <li id="fn:39"><p>Leal, Marcelo M.; Musgrave, Paul (2023). "Backwards from zero: How the U.S. public evaluates the use of zero-day vulnerabilities in cybersecurity". Contemporary Security Policy. 44 (3): 437–461. doi:10.1080/13523260.2023.2216112. ISSN 1352-3260. <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:39" class="footnote-back-ref">↩</a></p></li> <li id="fn:40"><p>Perlroth 2021, p. 8. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:40" class="footnote-back-ref">↩</a></p></li> <li id="fn:41"><p>Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:41" class="footnote-back-ref">↩</a></p></li> <li id="fn:42"><p>Ahmad et al. 2023, p. 10733. - Ahmad, Rasheed; Alsmadi, Izzat; Alhamdani, Wasim; Tawalbeh, Lo’ai (2023). "Zero-day attack detection: a systematic literature review". Artificial Intelligence Review. 56 (10): 10733–10811. doi:10.1007/s10462-023-10437-z. ISSN 1573-7462. <a href="https://link.springer.com/article/10.1007/s10462-023-10437-z" target="_blank">https://link.springer.com/article/10.1007/s10462-023-10437-z</a> <a href="#fnref:42" class="footnote-back-ref">↩</a></p></li> <li id="fn:43"><p>Strout 2023, p. 24. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:43" class="footnote-back-ref">↩</a></p></li> <li id="fn:44"><p>Libicki, Ablon & Webb 2015, p. 104. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:44" class="footnote-back-ref">↩</a></p></li> <li id="fn:45"><p>Dellago, Simpson & Woods 2022, p. 41. - Dellago, Matthias; Simpson, Andrew C.; Woods, Daniel W. (2022). "Exploit Brokers and Offensive Cyber Operations". The Cyber Defense Review. 7 (3): 31–48. ISSN 2474-2120. JSTOR 48682321. <a href="https://search.worldcat.org/issn/2474-2120" target="_blank">https://search.worldcat.org/issn/2474-2120</a> <a href="#fnref:45" class="footnote-back-ref">↩</a></p></li> <li id="fn:46"><p>Sood & Enbody 2014, p. 1. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:46" class="footnote-back-ref">↩</a></p></li> <li id="fn:47"><p>Libicki, Ablon & Webb 2015, p. 44. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:47" class="footnote-back-ref">↩</a></p></li> <li id="fn:48"><p>Dellago, Simpson & Woods 2022, p. 33. - Dellago, Matthias; Simpson, Andrew C.; Woods, Daniel W. (2022). "Exploit Brokers and Offensive Cyber Operations". The Cyber Defense Review. 7 (3): 31–48. ISSN 2474-2120. JSTOR 48682321. <a href="https://search.worldcat.org/issn/2474-2120" target="_blank">https://search.worldcat.org/issn/2474-2120</a> <a href="#fnref:48" class="footnote-back-ref">↩</a></p></li> <li id="fn:49"><p>O'Harrow 2013, p. 18. - O'Harrow, Robert (2013). Zero Day: The Threat In Cyberspace. Diversion Books. ISBN 978-1-938120-76-3. <a href="#fnref:49" class="footnote-back-ref">↩</a></p></li> <li id="fn:50"><p>Libicki, Ablon & Webb 2015, p. 45. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:50" class="footnote-back-ref">↩</a></p></li> <li id="fn:51"><p>Strout 2023, p. 36. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:51" class="footnote-back-ref">↩</a></p></li> <li id="fn:52"><p>Sood & Enbody 2014, p. 1. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:52" class="footnote-back-ref">↩</a></p></li> <li id="fn:53"><p>Libicki, Ablon & Webb 2015, p. 44. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:53" class="footnote-back-ref">↩</a></p></li> <li id="fn:54"><p>Sood & Enbody 2014, p. 1. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:54" class="footnote-back-ref">↩</a></p></li> <li id="fn:55"><p>Perlroth 2021, p. 145. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:55" class="footnote-back-ref">↩</a></p></li> <li id="fn:56"><p>Libicki, Ablon & Webb 2015, pp. 44, 46. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:56" class="footnote-back-ref">↩</a></p></li> <li id="fn:57"><p>Libicki, Ablon & Webb 2015, p. 46. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:57" class="footnote-back-ref">↩</a></p></li> <li id="fn:58"><p>Libicki, Ablon & Webb 2015, p. 44. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:58" class="footnote-back-ref">↩</a></p></li> <li id="fn:59"><p>Sood & Enbody 2014, p. 116. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:59" class="footnote-back-ref">↩</a></p></li> <li id="fn:60"><p>Libicki, Ablon & Webb 2015, p. 46. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:60" class="footnote-back-ref">↩</a></p></li> <li id="fn:61"><p>Libicki, Ablon & Webb 2015, pp. 46–47. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:61" class="footnote-back-ref">↩</a></p></li> <li id="fn:62"><p>Libicki, Ablon & Webb 2015, p. 45. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:62" class="footnote-back-ref">↩</a></p></li> <li id="fn:63"><p>Gooding, Matthew (19 July 2022). "Zero day vulnerability trade is lucrative but risky". Tech Monitor. Retrieved 4 April 2024. <a href="https://techmonitor.ai/partner-content/zero-day-vulnerability-exploit-spyware" target="_blank">https://techmonitor.ai/partner-content/zero-day-vulnerability-exploit-spyware</a> <a href="#fnref:63" class="footnote-back-ref">↩</a></p></li> <li id="fn:64"><p>Gooding, Matthew (19 July 2022). "Zero day vulnerability trade is lucrative but risky". Tech Monitor. Retrieved 4 April 2024. <a href="https://techmonitor.ai/partner-content/zero-day-vulnerability-exploit-spyware" target="_blank">https://techmonitor.ai/partner-content/zero-day-vulnerability-exploit-spyware</a> <a href="#fnref:64" class="footnote-back-ref">↩</a></p></li> <li id="fn:65"><p>Perlroth 2021, p. 42. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:65" class="footnote-back-ref">↩</a></p></li> <li id="fn:66"><p>Perlroth 2021, p. 57. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:66" class="footnote-back-ref">↩</a></p></li> <li id="fn:67"><p>Perlroth 2021, p. 58. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:67" class="footnote-back-ref">↩</a></p></li> <li id="fn:68"><p>Sood & Enbody 2014, p. 117. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:68" class="footnote-back-ref">↩</a></p></li> <li id="fn:69"><p>Dellago, Simpson & Woods 2022, pp. 31, 41. - Dellago, Matthias; Simpson, Andrew C.; Woods, Daniel W. (2022). "Exploit Brokers and Offensive Cyber Operations". The Cyber Defense Review. 7 (3): 31–48. ISSN 2474-2120. JSTOR 48682321. <a href="https://search.worldcat.org/issn/2474-2120" target="_blank">https://search.worldcat.org/issn/2474-2120</a> <a href="#fnref:69" class="footnote-back-ref">↩</a></p></li> <li id="fn:70"><p>Libicki, Ablon & Webb 2015, p. 48. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:70" class="footnote-back-ref">↩</a></p></li> <li id="fn:71"><p>Dellago, Simpson & Woods 2022, p. 42: "The number of independent active sellers (between 400[31] and 1500[35] individuals) ... 2015,[35] suggests an annual pay of $5.5k - 20.8k per researcher." - Dellago, Matthias; Simpson, Andrew C.; Woods, Daniel W. (2022). "Exploit Brokers and Offensive Cyber Operations". The Cyber Defense Review. 7 (3): 31–48. ISSN 2474-2120. JSTOR 48682321. <a href="https://search.worldcat.org/issn/2474-2120" target="_blank">https://search.worldcat.org/issn/2474-2120</a> <a href="#fnref:71" class="footnote-back-ref">↩</a></p></li> <li id="fn:72"><p>Ablon & Bogart 2017, p. iii. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:72" class="footnote-back-ref">↩</a></p></li> <li id="fn:73"><p>Ablon & Bogart 2017, p. xiv. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:73" class="footnote-back-ref">↩</a></p></li> <li id="fn:74"><p>Ablon & Bogart 2017, p. 1. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:74" class="footnote-back-ref">↩</a></p></li> <li id="fn:75"><p>Perlroth 2021, p. 8. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:75" class="footnote-back-ref">↩</a></p></li> <li id="fn:76"><p>Ablon & Bogart 2017, p. 3. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:76" class="footnote-back-ref">↩</a></p></li> <li id="fn:77"><p>Perlroth 2021, p. 145. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:77" class="footnote-back-ref">↩</a></p></li> <li id="fn:78"><p>Perlroth 2021, p. 9. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:78" class="footnote-back-ref">↩</a></p></li> <li id="fn:79"><p>Perlroth 2021, pp. 60, 62. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:79" class="footnote-back-ref">↩</a></p></li> <li id="fn:80"><p>Perlroth 2021, p. 9. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:80" class="footnote-back-ref">↩</a></p></li> <li id="fn:81"><p>Perlroth 2021, p. 10. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:81" class="footnote-back-ref">↩</a></p></li> <li id="fn:82"><p>"Heartbleed: Serious OpenSSL zero day vulnerability revealed". ZDNet. Archived from the original on 2024-10-04. Retrieved 2024-11-29. <a href="https://www.zdnet.com/article/heartbleed-serious-openssl-zero-day-vulnerability-revealed/" target="_blank">https://www.zdnet.com/article/heartbleed-serious-openssl-zero-day-vulnerability-revealed/</a> <a href="#fnref:82" class="footnote-back-ref">↩</a></p></li> <li id="fn:83"><p>"The Shadow Brokers publishing the NSA vulnerabilities". Cyberlaw. 4 June 2021. Archived from the original on 2024-02-27. Retrieved 2024-11-29. <a href="https://cyberlaw.ccdcoe.org/wiki/The_Shadow_Brokers_publishing_the_NSA_vulnerabilities_(2016)" target="_blank">https://cyberlaw.ccdcoe.org/wiki/The_Shadow_Brokers_publishing_the_NSA_vulnerabilities_(2016)</a> <a href="#fnref:83" class="footnote-back-ref">↩</a></p></li> <li id="fn:84"><p>"SolarWinds hack explained: Everything you need to know". TechTarget. Archived from the original on 2024-10-05. Retrieved 2024-11-29. <a href="https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know" target="_blank">https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know</a> <a href="#fnref:84" class="footnote-back-ref">↩</a></p></li> <li id="fn:85"><p>"Businesses urged to act fast against ProxyLogon attack on Microsoft Exchange Server". S-RM. Archived from the original on 2024-11-29. Retrieved 2024-11-29. <a href="https://www.s-rminform.com/latest-thinking/proxylogon-attack-on-microsoft-exchange-server" target="_blank">https://www.s-rminform.com/latest-thinking/proxylogon-attack-on-microsoft-exchange-server</a> <a href="#fnref:85" class="footnote-back-ref">↩</a></p></li> <li id="fn:86"><p>Marczak, Bill; Scott-Railton, John; Razzak, Bahr Abdul; Deibert, Ron (18 April 2023). "NSO Group's Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains". Citizenlab. Archived from the original on 2024-09-27. Retrieved 2024-11-29. <a href="https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/" target="_blank">https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/</a> <a href="#fnref:86" class="footnote-back-ref">↩</a></p></li> </ol>