It doesn't support your assertion but it's still interesting 2008-2010 data from an antivirus vendor. It's talking about about how long some vulnerabilities were exploited by malware before getting disclosed, use in targeted attacks, and so on.
I don't think it says that about the set of all vulnerabilities (IOW - citation needed!).
It does say "In this paper, we consider only exploits that have been used in real-world attacks before the corresponding vulnerabilities were disclosed" so it's unsurprising that in their dataset this is the case :)
Yeap, you're right, I misread. Here is a quote from the paper: "15% of these exploits were created before the disclosure of the corresponding vulnerability." So there's a lower bound.
It doesn't support your assertion but it's still interesting 2008-2010 data from an antivirus vendor. It's talking about about how long some vulnerabilities were exploited by malware before getting disclosed, use in targeted attacks, and so on.