Zero Day Exploits
Zero-day exploits target vulnerabilities that are not yet known to the vendor and for which no patch is yet available. These vulnerabilities are like a key to a secret door: whoever discovers one first can use it before defenders have any chance to close it, and working exploits are often shared or sold on underground markets. They get their name from the fact that developers and the public have had “zero days” of awareness and “zero days” to try to close the vulnerabilities.
NIST’s glossary defines a zero-day attack as “an attack that exploits a previously unknown hardware, firmware, or software vulnerability.” Because no patch exists yet, defenders cannot rely on signatures for the specific flaw. They fall back on general defenses such as least privilege, anti-malware behavioral analysis, network monitoring, and defense in depth.
Zero-day vs. n-day
Once a vulnerability is publicly known and a patch is available, exploits against it are no longer “zero-day”. They are usually called n-day exploits, where n is the number of days that have passed since the fix shipped. Zero-days grab the headlines, but a large share of real-world breaches use n-day vulnerabilities against systems that have not yet installed the patch. CISA maintains the Known Exploited Vulnerabilities (KEV) catalog, which identifies flaws that are currently being weaponized in the wild so that defenders can prioritize their patching.
Coordinated disclosure
To reduce the window during which a bug is exploitable, most security-research teams follow a coordinated vulnerability disclosure (CVD) process: the finder reports the flaw privately to the vendor, the vendor is given time to ship a fix, and only then is the vulnerability publicly documented. This is contrasted with full disclosure, where the finder publishes technical details immediately — sometimes as leverage to force an unresponsive vendor to act.
- Google’s Project Zero gives vendors 90 days from notification to release a patch and publishes technical details 30 days after the patch ships. If a bug is already being exploited in the wild, the deadline shortens to 7 days.
- The Zero Day Initiative uses a longer 120-day window before publishing.
- CISA operates a Coordinated Vulnerability Disclosure Program that mediates disclosure among researchers, vendors, and downstream operators of critical infrastructure.
The trade-off is between giving vendors time to fix the issue and giving defenders enough information to protect themselves. Public disclosure — even before a patch — can be the lesser evil when a vendor refuses to act on a serious vulnerability.