On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean@donelan.com> said:
The numbers vary a little e.g. 38% or 42%, but the speed or severity or publicity doesn't change them much. If it is six months before the exploit, about 40% will be patched (60% unpatched). If it is 2 weeks, about 40% will be patched (60% unpatched). Its a strange "invisible hand" effect, as the exploits show up sooner the people who were going to patch anyway patch sooner. The ones that don't, still don't.
Remember that the black hats almost certainly had 0-days for the holes, and before the patch comes out, the 0-day is 100% effective. Once the patch comes out and is widely deployed, the usefulness of the 0-day drops. Most probably, 40% is a common value for "I might as well release this one and get some recognition". After that point, the residual value starts dropping quickly. Dave Aucsmith of Microsoft seems to think there's a flurry of activity to reverse engineer the patch: http://news.bbc.co.uk/1/hi/technology/3485972.stm In fact, half of them are just sitting there and playing "chicken" - you wait too long, and somebody else gets the recognition as "best reverse engineer" by Aucsmith, but if you wait too little, you lose your 0-day while it still has some effectiveness. Somebody else can turn the crank on the game-theory machine and figure out what the mathematically optimum release point is....