Forecasting in-the-wild 0days: 2023

Posted February 1, 2023 by  ‐ 1 min read

How many in-the-wild 0days will we observe in 2023? See 2022 for more explanation on this process, and last year’s forecast outcome.

Project Zero maintains a list of 0day vulnerabilities observed in the wild.

Project Zero saw 36 0days in the wild in 2022.

Results

This panel of 11 expects 26.18 - 55.27 in-the-wild 0days to be discovered with 90% certainty.

Discussion

This year’s discussion was very quiet compared to the 2022 forecast. The general sentiment was that variability in 0day discovery is mostly the same compared to the discussion from last year. For reference, the major points of discussion in the 2022 forecast were:

  • Do we have evidence of 0day detection opportunities?
  • Will more companies disclose 0day exploitation?
  • Are security organizations resourcing in-the-wild 0day detection efforts?
  • Will attackers continue targeting the OS and browser?
  • Will detection quality improve?
  • Does the future of WFH matter?
  • Are escalation channels improving?

We’ll see what happens in 2023 and keep tabs on anything that might increase or reduce the amount of 0days we see in the wild. Our forecast will be scored in January 2024.

To receive updates on future forecasts, follow @magoo or subscribe here ๐Ÿ‘‡