# Zero-day A zero-day is a vulnerability that is discovered or exploited before the vendor can issue a patch to fix it. Security researchers who discover new vulnerabilities should inform the vendor privately and allow time for a fix to be developed before making the vulnerability public. The time allowed is often 90 days by convention, but this may be reduced depending on the status of the vulnerability. Zero-day vulnerabilities have significant financial value. Consequently, an adversary will only use a zero-day vulnerability for high-value attacks. State security and law enforcement agencies are known to stockpile zero days to facilitate the investigation of crimes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://abrahamreyes9.gitbook.io/cysa+/1.0-threat-and-vulnerability-management/1.1-explain-the-importance-of-threat-data-and-intelligence/threat-classification/zero-day.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.