Jerry Gamblin

The "Zero Day Clock" is a Masterclass in Bad Data Science.

I've heard this clock mentioned multiple times at #RSAC this week. It predicts an "exponential collapse" of the time-to-exploit (TTE) toward zero. It makes for a scary keynote slide, but the math is fundamentally broken.

The model suffers from:

Right-Censoring: It ignores that slow exploits for 2025 haven't happened yet, artificially forcing the "average" to zero.

Selection Bias: It only tracks the fastest 1.5% of vulnerabilities and ignores the "long tail."

Administrative Lag: It mistakes the growing NVD backlog for "attacker velocity."

We don’t need hyperbolic "scare-ware" statistics to justify our urgency. Defense is hard enough without distorting the data.

I’ve written a full technical audit on why this methodology fails a basic statistical peer review:

Technical Breakdown: https://gist.github.com/jgamblin/91f7843b62069616c951f32957c921cd

#RSAC #RSAC2026 #Infosec #CyberSecurity #DataScience #VulnerabilityManagement

A Critical Audit of the "Zero Day Clock" Methodology

A Critical Audit of the "Zero Day Clock" Methodology - zeroday.md

Gist
Mar 24 at 4:02pmWeb
Show threadThree plus or minus five1d ago
@jgamblin
Also, there's an interesting bias by choosing only those vulnerabilities that get an exploit. What if the number of exploitable vulnerabilities is going down? That would mean very little danger, even if exploits were fast.