Averaged over the last three years for only major software vendors, the figure on any given day was 58.
Extrapolating these numbers to the entire universe of serious undisclosed flaws is tricky not least because other firms such as Google, Mozilla, Facebook and more recently Microsoft and Yahoo also now pay researchers for critical flaws, but it is a reasonable inference that only a small part of the iceberg is visible.
"It is NSS' belief that the figures represent only a minimum estimate of the number of 'known unknowns' and of the amount of time that users are exposed to them" said Frei, who added that he believed the number of flaws not known about on any given day was around 100.
"Some of the parties involved in the exploitation of vulnerabilities have no desire to coordinate vulnerability information with the affected vendors, potentially using this information for offensive operations."
Not all of these entities are criminal and includes smaller boutique research and software broker firms running their own paid and reverse-engineering programmes, defence contractors and of course government agencies such as the NSA. Some of these flaws will come to the notice of the affected vendor through other channels, while many others will surely not.
"It is safe to assume that cyber criminals and government agencies primarily purchase vulnerabilities and exploits that target prevalent products from major vendors. Therefore, these "known unknowns" pose a real and present threat to the security of corporate and private software users," concluded Frei.
His recommendations are that the scale of the vulnerability and zero-day problem is now so vast that enterprises can't simply rely on patching cycles to dig them out of trouble. Cybercriminals are simply too far head on vulnerabilities and firms should assume they will fall prey to unknown vulnerabilities and direct their effort to spotting the results of breaches once they happen.
It would also be unwise to assume that the greatest threat comes from nation states which are certainly not the only entities with money to spend buying zero-days from black hat researchers, according to Frei.
As for software vendors, all would probably benefit from offering bug bounty programmes and should start viewing them as a necessary part off their business model.
Sign up for MIS Asia eNewsletters.