Independent Reproducibility Guide

Step 1 — Collect the CVE universe

Source: NVD (nvd.nist.gov)

Download the full NVD CVE dataset from nvd.nist.gov/vuln/data-feeds or query the NVD REST API. Each CVE record includes a published date — this is t_disclosure, the starting point for TTE.

Filter to CVEs with IDs from 2018 onward. Use the CVE ID year (e.g. CVE-2022-* → 2022 cohort), not the NVD publication year — NVD occasionally re-indexes older CVEs with new publication dates, which would otherwise distort recent cohorts.

Step 2 — Identify confirmed-exploited CVEs

Sources: CISA KEV · VulnCheck KEV · VulnCheck XDB

ZeroDayClock only includes CVEs with confirmed in-the-wild exploitation — roughly 1.5% of all published CVEs. Cross-reference the NVD universe against:

• CISA Known Exploited Vulnerabilities (KEV) — cisa.gov/known-exploited-vulnerabilities-catalog. Free JSON download. U.S. government-confirmed active exploitation. Each entry includes a dateAdded field used as the exploit signal date.
• VulnCheck KEV — vulncheck.com/browse/kev. Free community tier available. Analyst-confirmed exploitation corroborated by Shadowserver honeypot data, GreyNoise scanning telemetry, and vendor advisories. Broader and faster than CISA KEV.
• VulnCheck XDB *(timestamp supplement only)* — vulncheck.com/browse/xdb. Used as a timing proxy for CVEs published before 2022, where CISA KEV's late launch (November 2021) means KEV timestamp coverage is thin. XDB does not change which CVEs are included — all CVEs in the dataset are still KEV-confirmed. It only provides an earlier timestamp when KEV timestamps are unavailable.

Step 3 — Compute TTE for each CVE

For each CVE in the confirmed-exploited set, compute:

Apply five data quality rules before computing statistics:

1. Drop exploit timestamps before 2010 — these are database defaults, not real observations.
2. Drop TTE < −180 days — retroactively assigned CVEs produce extreme negative TTE; real zero-day campaigns are typically −30 to −90 days.
3. Use CVE ID year for cohort bucketing — assign each CVE to the year in its CVE ID (CVE-2022-* → 2022), not the NVD publication year.
4. Floor same-day midnight TTE to 0 — KEV sources store date-only timestamps (T00:00:00Z). When the exploit date equals the publication date and the exploit timestamp is midnight, record TTE = 0 rather than a small negative fraction.
5. Exclude cohort years before 2018 — sparse data and no systematic KEV coverage before 2018.

Step 4 — Compute yearly statistics

Group the cleaned TTE values by cohort year and compute two measures:

• Median TTE — sort all TTE values for the year, take the middle value. Robust against outliers (a CVE exploited years after disclosure does not move it).
• 10% Trimmed Mean — remove the bottom 5% and top 5% of TTE values, then average the remainder. More sensitive to real trend shifts than the median. For cohorts with 20 or fewer CVEs, use the arithmetic mean instead.
• Zero-day rate — percentage of CVEs in each cohort where TTE ≤ 0 (exploitation confirmed on the same day as disclosure, or before).

Last independent audit

Audit run 2026-05-11 by an independent agent with no prior project context.