GoKawiilThe cybersecurity world has been abuzz about AI-assisted tools finding vulnerabilities faster than ever. Even non-tech outlets have covered topics like Anthropic's Mythos bot being deemed a proverbial superweapon. We discussed one of many alerts on how the industry-standard 90-day vulnerability disclosure window is going the way of the dodo, too. Words are pretty, but programmers and politicians don't use poetry, so numbers are the proper tool for this topic. The Zero-Day Clock (ZDC) uses them to clearly display the consequences of lax security throughout the ages.
The website was created by Sergej Epp from Sysdig, and the effort counts most every major tech and cybersecurity company as signatories. The lowdown is quite simple: the proverbial AI singularity made it so the mean time between a vulnerability being discovered and it being exploited has dropped from nearly a year in 2021 to just over a day in 2026 (and counting). The trend from the data is painfully visible, and the ZDC predicts that in 2027, the figure will drop to one hour and one minute eventually.
Zero Day Clock - Timeline (Image credit: zerodayclock.com)
That's hardly the only stiff-drink-inducing graph, though. The percentage of zero-day exploits, meaning that malfeasants were already using them before official word came out, rose from 31% five years ago to a massive 73.2% as of today. Here, it's clearly visible that the percentage of non-exploited vulnerabilities went from ~60-70% in 2021 to a measly 25% currently... but only at the time of disclosure. Tracking the X axis shows that currently, very few vulnerabilities stay unexploited for more than a couple of weeks, and zero remain unused once past the six-week mark, in contrast with ~24% for last year.
Latest Videos From
Zero Day Clock - Exploit Survival Curve (Image credit: zerodayclock.com)
Additionally, it's worth noting that the dataset used for these graphs is fairly wide. It only tracks publicly disclosed vulnerabilities that have a known exploitation. In other words, we may well be looking at the mere tip of the iceberg, and the ZDC researchers remind readers that "we only track publicly visible exploits. Private or nation-state exploits may exist earlier." The time-lapse of the collapse of computer security is detailed in a specific page at the ZDC.
So what can be done? Well, the ZDC researchers published a call to action. First, those that are fairly easy to swallow: ensure every piece of firmware, software, framework, and hardware platform has all the security features enabled by default, and always adopt a zero-trust architecture whenever possible. Since 70% of vulnerabilities are a consequence of memory safety bugs, using Rust or another memory-safe language instead of C or C++ is a must.
The ZDC also recommends that systems be designed so they're disposable by default, meaning, for example, that an exploited machine can be easily restored. Since AI bots are empowering attackers, the ZDC recommends the availability of free and open-source AI-powered tools (think an open-source Mythos), so that defenders have full knowledge of their system, source code, and logs.
Then we get into the tricky ones. The biggest recommendation is to make software makers liable for damaging security vulnerabilities, as well-known cybersecurity master Bruce Scheiner explains: "No industry in the past 150 years has improved safety or security without being forced to by the government." He additionally points out that an insecure, technically unsound product that is first to market and/or easier to use will win over their better-developed competitors every single time.
... continue reading