The cybersecurity world has been abuzz about AI-assisted tools finding vulnerabilities faster than ever. Even non-tech outlets have covered topics like Anthropic’s Mythos bot being deemed a proverbial superweapon. We discussed one of many alerts on how the industry-standard 90-day vulnerability disclosure window is going the way of the dodo, too. Words are pretty, but programmers and politicians don’t use poetry, so numbers are the proper tool for this topic. The Zero-Day Clock (ZDC) uses them to clearly display the consequences of lax security throughout the ages.
The website was created by Sergej Epp from Sysdig, and the effort counts most every major tech and cybersecurity company as signatories. The lowdown is quite simple: the proverbial AI singularity made it so the mean time between a vulnerability being discovered and it being exploited has dropped from nearly a year in 2021 to just over a day in 2026 (and counting). The trend from the data is painfully visible, and the ZDC predicts that in 2027, the figure will drop to one hour and one minute eventually.
That’s hardly the only stiff-drink-inducing graph, though. The percentage of zero-day exploits, meaning that malfeasants were already using them before official word came out, rose from 31% five years ago to a massive 73.2% as of today. Here, it’s clearly visible that the percentage of non-exploited vulnerabilities went from ~60-70% in 2021 to a measly 25% currently… but only at the time of disclosure. Tracking the X axis shows that currently, very few vulnerabilities stay unexploited for more than a couple of weeks, and zero remain unused once past the six-week mark, in contrast with ~24% for last year.
Additionally, it’s worth noting that the dataset used for these graphs is fairly wide. It only tracks publicly disclosed vulnerabilities that have a known exploitation. In other words, we may well be looking at the mere tip of the iceberg, and the ZDC researchers remind readers that “we only track publicly visible exploits. Private or nation-state exploits may exist earlier.” The time-lapse of the collapse of computer security is detailed in a specific page at the ZDC.
So what can be done? Well, the ZDC researchers published a call to action. First, those that are fairly easy to swallow: ensure every piece of firmware, software, framework, and hardware platform has all the security features enabled by default, and always adopt a zero-trust architecture whenever possible. Since 70% of vulnerabilities are a consequence of memory safety bugs, using Rust or another memory-safe language instead of C or C++ is a must.
The ZDC also recommends that systems be designed so they’re disposable by default, meaning, for example, that an exploited machine can be easily restored. Since AI bots are empowering attackers, the ZDC recommends the availability of free and open-source AI-powered tools (think an open-source Mythos), so that defenders have full knowledge of their system, source code, and logs.
Then we get into the tricky ones. The biggest recommendation is to make software makers liable for damaging security vulnerabilities, as well-known cybersecurity master Bruce Scheiner explains: “No industry in the past 150 years has improved safety or security without being forced to by the government.” He additionally points out that an insecure, technically unsound product that is first to market and/or easier to use will win over their better-developed competitors every single time.
Then, there’s a call to revise laws regarding AI that end up giving attackers a time advantage, like well-meaning but poorly considered efforts such as the EU’s “Stop the Clock.” These are intended to slow down the spread of AI, but they end up hurting security as they slow down defending parties, while cyber-attackers aren’t prone to follow laws and guidelines and will just speed up their efforts.
The ZDC also believes that software security should have geopolitical priority and that it ought to be made a public concern, with corresponding allocation of funds toward the effort. Lastly, the ZDC calls for including cybersecurity researchers in the lawmaking process, as generally the people writing the laws don’t fully understand the items they’re writing (or removing) regulations for; a constant throughout humanity’s history.
Follow Tom’s Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
