The report claimed that 94 per cent of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure.
The practice of disclosing exploit code along with a security advisory is accepted practice for many security researchers.
However, according to the X-Force report, vulnerabilities disclosed by independent researchers are twice as likely to have zero-day exploit code published.
IBM believes that this calls into question how researchers practise vulnerability disclosure, and highlights a need for a new standard in the industry.
"The two major themes in the first half of 2008 were acceleration and proliferation," said X-Force operations manager Kris Lamb.
"We see a considerable acceleration in the time a vulnerability is disclosed to when it is exploited, with an accompanying proliferation of vulnerabilities overall."
Lamb warned that, without a unified process for disclosing vulnerabilities, the research industry runs the risk of actually fuelling online criminal activity.
"There is a reason why X-Force does not publish exploit code for the vulnerabilities we have found, and perhaps it is time for others in our field to reconsider this practice," he said.