[Cryptography] When did zero day attacks become commonplace?

[dan at geer.org]

 | Back in the mid 1990s, the idea an attacker would hit you with a 'zero-day'
 | was considered a mythical possibility. Anyone who suggested it might happen
 | was scaremongering. Then within the space of a few weeks they went from
 | being unheard of to routine.
 | 
 | I am trying to track down when the transition occurred for a talk. I
 | remember there being a sharp transition but I can't place when.


My memory says that it was 2006 plu/minus two, but I am not remembering
an event so much as an observation that once crafting exploits got
too hard to be a hobby it became a profession.  The hobbyist, paid
in bragging rights, brags thus broadcasting his knowledge.  The
professional, paid in currency and perhaps by N>1 buyers, says
nothing, thus not broadcasting his knowledge.  Surely the percentage
of attacks that are based on previously unknown avenues of attack
must rise when motivations undergo a sea change like making exploit
crafting too hard to be a hobby and/or paying for R&D out of revenue.

I'm sure someone has numbers or a way look at various records
(someone working in attack remediation, say?) and detect when it
was that the ratio of major attacks due to pedestrian vulnerabilities
to major attacks due to previously unknown ones began to change.
If there was a discontinuity, a ratio like the above would tend
to make it visible.

Thinking out loud,

--dan