Introduction
Reports of Exploit-DB’s death were greatly exaggerated. After publishing almost no exploits for four months, Exploit-DB is alive and publishing new exploits with a vengeance. As collectors of exploits, we missed Exploit-DB (EDB) and we’re glad it's back. But while EDB was on hiatus, we found that 0day.today was a reliable stand-in. Now with both projects alive and kicking, we wanted to get a better understanding of these exploit databases, and how they differ.
Number of Exploits
Exploit-DB and 0day.today aren’t just exploit databases. Outside of exploits, they both have growing collections of shellcode, and EDB maintains large repositories of research papers and Google dorks. But the main draw is their exploits. By exploit volume, EDB is king. With more than 45,000 exploits1, EDB exceeds 0day.today’s offering of just under 38,0002. On both fronts, that’s a lot of exploits. But how relevant are they? Both exploit repositories have timestamps on their exploits, so let’s graph those.
Total Exploits Per Year
This graph says a few interesting things, but the first thing we’d like to call out is the “date” that is published by EDB. We believe this is generally reliable, but they also have a number of exploits published from 1988 through the 1990s, all of which predate EDB. There may be a small amount of backdating going on (or something akin) but overall it didn’t appear to be an issue.
The peak of these two projects is wild. In 2010, they both added 4,700+ exploits. That’s almost 13 new exploits every day of the year. They have mightily fallen though. In 2022, 0day.today published 943 exploits, and EDB only managed 401. In fact, we were surprised to find that 0day.today has published more exploits per year than EDB since 2012 (with the exception of 2019). For whatever reason, we thought EDB was the standard and 0day.today the challenger. It might be the other way around.
There is a pretty obvious reason for the drop off in exploits. The rise of bug bounties (and associated platforms) might come to mind, but that's only a small drop in the bucket. We've found that the missing exploits are almost entirely found on social coding platforms like GitHub, GitLab, Gitee, Gist, etc. The huge shortfalls affecting these two databases are more or less correlated to the rise in popularity of these services. Social coding platforms were not wildly popular in 2010 (the 0day.today and EDB peak). Nowadays every coder has a GitHub account. Which means they don't need EDB or 0day.today anymore. They can avoid the hassle of submitting their work for third party editing and moderation, and simply upload the exploit/research to their own account.
Exploits with Associated CVE
That isn't to say we believe third party moderation is a bad thing. We know all too well that curating an exploit database is a real challenge now that exploits are scattered across social coding platforms. But it's a worthwhile endeavour. Both red and blue teams benefit from a curated database that includes CVE to exploit mappings. EDB outperforms 0day.today in this regard. They've been more likely, historically, to tag their exploits with an associated CVE identifier. The following graph shows the total exploits for each CVE year (CVE-YYYY):
Exploits By CVE Year (CVE-YYYY)
During the massive peak in 2010, 0day.today attached very few CVE to their exploits even though they were publishing at the same rate as EDB. But since 2016, on a yearly basis, 0day.today has published more exploits associated with a CVE-ID than EDB. EDB might have 0day.today beat historically, but they trail 0day.today more recently.
Unique Exploits
For the exploits that have associated CVE, we can also determine the uniqueness of each database. For example, do both databases have exploits for CVE-2023-1270 or is that CVE unique to one database? The measurement of uniqueness is interesting, because one database can more or less eliminate the need for the other by dominating on the amount of unique exploits. The following bar graph shows the amount of overlap between the two databases.
Unique CVE
We can see Exploit-DB dominates from this point of view. 0day.today is hurt by its poor history of associating exploits to CVE, and is left with only 1,979 unique CVE in their database compared to EDB’s 19,577. While that would suggest that EDB is the better database, we also know that 0day.today is currently publishing more exploits per year. So it seems we can’t write off either database quite yet.
Exploit Authors
Both databases are largely composed of user submissions. With such large databases, we thought it would be interesting to see who the top 10 exploit authors were. We were somewhat surprised that the top four were identical for both projects. Although, given the amount of overlap between the databases, perhaps it shouldn’t have been a surprise.
Top 10 0day.today Authors
Top 10 Exploit-DB Authors
It’s impressive to see the individual researchers that have produced so much content that they made it into these top 10 lists. LiquidWorm, Luigi Auriemma, rgod, hyp3rlinx, etc. are well established in the profession so it isn’t a huge surprise that their exploits ended up in both databases, but the sheer volume is inspiring and says a lot about the impact the individual researcher can still have on the profession..
Conclusion
EDB and 0day.today both contain tens of thousands of exploits, and although there is a good amount of overlap between the projects, they each offer their own unique exploits. While many modern exploit developers may be moving to other venues (such as GitHub), these databases continue to be updated with new content and they contain historical exploits that have otherwise long fallen off the internet. Hopefully they continue to operate for many years to come.
Do you like exploits? So do we! VulnCheck maintains the largest collection of exploits. For more information, register for a VulnCheck account today by loading https://vulncheck.com and clicking “Register”.
Footnotes
1 Data collected on March 25, 2023. EDB published dozens of exploits after this date, so any 2023-specific statistics might look wrong, but the reality is they were largely silent until late March.
2 You might be thinking, “Hey! The 0day.today website says they have more than 38,000 exploits!” That’s true, but we aren’t 100% sure how they arrived at that number. We believe they only exceed 38,000 if you include shellcode in the count. Which we don’t.