About Zero Day Clock
Thesis
The gap between vulnerability disclosure and first working exploit is collapsing exponentially. Zero Day Clock tracks this collapse using six independent data sources, computing Time-to-Exploit (TTE) for every CVE with a known exploit. The data shows defenders' response window is approaching zero.
Methodology
TTE Calculation: TTE = (T_exploit - T_disclosure) / 3600 in hours. T_disclosure comes from NVD publication date. T_exploit is the earliest timestamp from any of our exploit sources.
Zero-Day Classification: When TTE is negative (exploit predates disclosure), the CVE is flagged as a zero-day with is_zero_day = true. For median calculations, negative TTEs are clamped to 0.
Prediction Model: An exponential decay function TTE(year) = a · e^(-b · (year - 2018)) is fit to yearly median TTEs using least squares regression.
Verifier's Law: All data is sourced from public APIs. Every TTE can be independently verified by checking the NVD publication date against the exploit source timestamp.
Data Sources
| Source | Role | Precision |
|---|---|---|
| NVD (NIST) | T_disclosure — CVE publication timestamp | Second |
| nomi-sec/PoC-in-GitHub | T_exploit — GitHub PoC repo creation dates | Second |
| VulnCheck KEV | T_exploit — exploit database timestamps | Second |
| CISA KEV | T_exploit — known exploited vulnerability dates | Day-only |
| CIRCL Sightings | T_exploit — exploit sighting timestamps | Second |
| FIRST EPSS | Exploitation probability scores | Daily |
Limitations
- Observation bias: We only track publicly visible exploits. Private or nation-state exploits may exist earlier.
- CISA KEV date precision: CISA provides date-only granularity, which can produce artificial negative TTE for same-day additions.
- PoC vs weaponized: A GitHub proof-of-concept is not the same as a weaponized exploit, but it marks the start of the exploitation timeline.
- NVD publication lag: CVEs may be reserved months before publication, creating appearance of negative TTE for pre-existing exploits.