TL;DR
A zero-day is a vulnerability unknown to the software vendor, meaning there are zero days of warning before it can be exploited. No patch exists yet. Zero-days are valuable and dangerous because traditional defenses cannot block what they do not know about. Defense in depth, behavioral detection, and rapid patching when fixes release are your best protections.
The Simple Explanation
Someone discovers a bug in software that the developers do not know about. Until the developers learn about it and release a fix, attackers can exploit it freely. The term "zero-day" refers to having zero days to patch before attacks can occur. Once disclosed, it is a race between patching and exploitation.
Zero-Day Terminology
| Term | Meaning |
|---|---|
| Zero-day vulnerability | Unknown or unpatched flaw |
| Zero-day exploit | Code that attacks the vulnerability |
| Zero-day attack | Active exploitation in the wild |
| Disclosure | When the vendor learns of the flaw |
| Patch | The fix that closes the vulnerability |
Zero-Day Timeline
- Vulnerability exists (unknown)
- Researcher or attacker discovers it
- If disclosed: vendor notified, patch developed If exploited: attacks occur in the wild
- Patch released
- Users apply patch
- No longer a zero-day
The danger window is between discovery and patch application on your systems.
Who Finds Zero-Days
- Security researchers: Report through bug bounties
- Government agencies: For intelligence/defense
- Criminal hackers: For attacks or sale
- Exploit brokers: Buy and sell to various buyers
- Internal testing: Vendors find their own bugs
Zero-days are not magic. They are just vulnerabilities nobody knows about yet. Good security hygiene, defense in depth, and monitoring still help. An attacker using a zero-day still leaves traces that detection systems can catch.
Defense Strategies
- Defense in depth: Multiple security layers
- Least privilege: Limit damage from any exploit
- Network segmentation: Contain breaches
- Behavioral detection: Catch unusual activity
- Rapid patching: Apply fixes as soon as available
- Monitoring: Detect compromises early
Why are zero-days so dangerous?
Zero-days are dangerous because there is no patch to apply. Traditional defenses like antivirus may not detect them. Attackers can exploit these vulnerabilities without defenders knowing the attack vector exists. Only defense-in-depth and behavioral detection help.
How much do zero-days cost?
Zero-day exploits are valuable commodities. Prices range from thousands to millions of dollars depending on the target (iOS, Chrome, Windows) and capabilities. Bug bounty programs pay tens of thousands; government buyers and exploit brokers pay much more. This market incentivizes both disclosure and secrecy.
How can I protect against zero-days?
Use defense in depth: multiple security layers so one bypass does not mean total compromise. Implement least privilege, network segmentation, endpoint detection, and behavioral monitoring. Keep systems updated to minimize exposure time when patches do release. Have an incident response plan ready.