One of the more disturbing issues regarding 0-days is their lifetimes. The lifetime of a 0-day
is the amount of time between the discovery of the vulnerability and public disclosure
through vendor or researcher announcement, mailing lists, and so on. By the very nature of
0-day discovery and disclosure, it is difficult to get reliable statistics on lifetimes, but one
vulnerability research organization claims its studies indicate an average 0-day lifetime of
348 days. Hence, if malicious attackers have a high-value 0-day in hand, they may have
almost a year to put it to most effective use. If used in a stealthy manner so as not to tip off
system defenders, vendors, and researchers, this sort of 0-day can yield many high-value
compromised systems for the attackers. Though there has been no official substantiation,
there has been a great deal of speculation that the Titan Rain series of attacks against
sensitive U.S. government networks between 2003 and 2005 utilized a set of 0-days against
Microsoft software