My back of the envelope calculations have been mentioned at securitybuddha and security4all. In reading their posts, I realized that I had not properly qualified my assertion. Please note that my estimate that 93.75% of all vulnerabilities are undisclosed does not mean that anyone knows about them – that is, I suspect a huge portion of those vulnerabilities are also undiscovered.

In addition, Jericho at OSVDB was intrigued by my undercover vulnerability data and now has a searchable field in the database that identifies whether vulnerabilities were discovered by exploits in the wild. We are working through all of the candidates to verify whether they qualify.