Zero-day

A zero-day is a vulnerability that is discovered or exploited before the vendor can issue a patch to fix it.

Security researchers who discover new vulnerabilities should inform the vendor privately and allow time for a fix to be developed before making the vulnerability public. The time allowed is often 90 days by convention, but this may be reduced depending on the status of the vulnerability.

Zero-day vulnerabilities have significant financial value. Consequently, an adversary will only use a zero-day vulnerability for high-value attacks. State security and law enforcement agencies are known to stockpile zero days to facilitate the investigation of crimes.