Five years ago, when a security weakness in software was discovered and made public, defenders had nearly a year to fix it before hackers would exploit the flaw. That buffer has evaporated. Today, the average time between discovery and exploitation is just over one day.
The Zero-Day Clock, which tracks this metric, projects the situation will deteriorate dramatically. By next year, defenders will have roughly one hour to patch vulnerabilities before hackers weaponise them.
This is a crisis in cybersecurity.
A vulnerability is a security flaw in software. When discovered, developers announce it publicly so everyone can patch their systems. Historically, this announcement gave IT teams and individuals time to install updates before attackers could exploit the weakness. That window protected millions of computers and networks worldwide.
But hackers have become faster and more automated. Machine learning tools can now scan for vulnerabilities and develop exploits in hours. The arms race has shifted decisively in the attacker's favour.
The data reveals the severity. Five years ago, 31% of known vulnerabilities were exploited before public disclosure. Today, that figure is 73.2%. Meanwhile, the percentage of vulnerabilities that remain unexploited a week after disclosure has collapsed. Last year, about 24% of flaws survived longer than six weeks. Now, essentially none do.
The cybersecurity researchers behind this data are calling for systemic change. They want software makers held legally liable for serious security flaws. They want governments to treat cybersecurity as a national priority and fund defences the way they fund armies. They want artificial intelligence tools designed to help defenders, not just attackers. They want programming languages that are inherently safer, like Rust, adopted widely because 70% of vulnerabilities stem from memory-safety bugs that Rust prevents.
They also want a cultural shift. Currently, no major industry improved safety without government intervention. Cars only became safer because of regulation. The same will likely be true for software.
The one-hour window represents a future where patching vulnerabilities becomes nearly impossible. It is a wake-up call that the current approach to cybersecurity has failed.
