Hi Crispin,
I agree with almost everything you say until here:
"I continue to dismiss the requirement that an 0day be found
maliciously exploiting machines, because that requires inferring
intent."
IMO, everybody in this thread is taking this from an
inside-to-outside approach, whereas a '0day'
I politely disagree... if there are no measurements then there can be
no metrics (or is that the other way around? :-) There has to be a
start some place; i.e. in your examples, David's time can be recorded
to the hour, and even the researcher/analyst could have a rating to
compensate for skill di
