Groundbreaking new study from RAND Corporation finds average zero-day vulnerability works for nearly seven years before losing effectiveness. The study, “Zero Days, Thousands of Nights,” has been welcomed by computer security analysts due to the previous paucity of data relating to “zero days” “Zero days” are flaws that have not been patched by a software vendor. Such flaws can remain useful long after patches get issued, if manufacturers fail to offer the patches to users of their products. Only 5.7 percent of any given stockpile of vulnerabilities will be found by someone else after one year.”]
Source: https://www.cuinfosecurity.com/blogs/zero-day-facts-life-revealed-in-rand-study-p-2413