The report comes as White House cybersecurity czar Rob Joyce says he is reviewing the Vulnerability Equities Process — the policy structure that decides whether zero-days found by U.S. agencies should be disclosed to the manufacturer.

Attributing cyberattacks and other malicious online activities is tough. The RAND Corp. has an idea for cutting through the public skepticism that lies beyond the technical difficulties.

A new study from the RAND Corp. upends much of the conventional wisdom on zero day vulnerability disclosure — they are rarely discovered independently, which makes hoarding them more effective.