A zero-day vulnerability (or 0-day) is a security flaw in software or hardware that is unknown to the vendor and therefore has no available patch or fix. The name refers to the fact that developers have had zero days to address it. Until a patch is released, every system running the affected software is potentially exposed.
Why Zero-Days Are Dangerous
- No patch exists — traditional "keep everything updated" advice doesn't help.
- Vendors have no warning and cannot protect users proactively.
- Security tools may not detect attacks that exploit unknown vulnerabilities.
- Nation-state actors and sophisticated criminal groups actively seek and trade zero-days.
Zero-Day Lifecycle
- Discovery — A researcher, attacker or intelligence agency finds the vulnerability.
- Exploitation window — If kept secret, it can be exploited for days, months or years.
- Disclosure — The vulnerability is reported (responsibly or publicly) or used in an attack.
- Patch release — The vendor develops and releases a fix. The vulnerability is no longer zero-day.
- Patching lag — Systems remain vulnerable until administrators apply the patch.
Responsible Disclosure
Security researchers who find vulnerabilities are encouraged to follow responsible disclosure (also called coordinated disclosure): notify the vendor privately and give them a reasonable time (typically 90 days) to release a patch before making the vulnerability public.
Mitigating Zero-Day Risk
- Defence in depth — Layered security so that one exploited vulnerability doesn't compromise everything.
- Least privilege — Limits the damage if an attacker gains a foothold.
- Behaviour-based detection — Security tools that detect unusual behaviour rather than known signatures.
- Network segmentation — Limits lateral movement after a breach.
- Apply patches quickly — Once a patch is released, apply it as soon as possible.