In March 2017 the RAND Corporation released a report “Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits”. The goal was to assess the public policy of governments stockpiling or releasing so-called 0-day exploits. While that remains an open question, the report and underlying data set of real-world exploits provides valuable insights into software engineering for security and resilience. This talk will provide an overview of the report and what it means for builders and defenders.