We say “zero day” like it means something special. It used to.
Originally, “zero day” came from the world of software piracy. “Zero day” software meant a brand‑new release, stolen and distributed the same day it launched. In early Bugtraq and hacker mailing lists, the idea migrated into vulnerabilities: a flaw unknown to the vendor, with no patch available, and often already circulating underground. The visual was elegant: day zero is the day the software ships; nobody outside the developers knows about the flaw yet, so defenders have had zero days to respond.
By the time RAND Corporation and start-ups like iDefense and later TippingPoint formalised vulnerability markets, zero day had a relatively narrow meaning: a vulnerability unknown to the vendor, with no official fix, especially if it was under active, undisclosed exploitation. Research from RAND (e.g., Ablon, Libicki, Golay) documented how elite brokers auctioned “exploits” for six and seven figures, and vendors like ZDI introduced bounty programs. The assumption was simple: if you have a zero day, you have power.
Over time, though, we broke the term.
Look at the data. NIST’s NVD and CISA’s KEV (Known Exploited Vulnerabilities) list are full of CVEs that get widely reported in headlines as “zero day threats” or “zero day attacks” even when the vendor had published a patch months earlier or disclosure preceded exploitation. Think of the ProxyLogon bugs in Exchange (CVE-2021-26855 and friends). They were privately reported, patched by Microsoft, then suddenly wild in mass exploitation. Were they zero days in the traditional sense? No. Attackers simply raced to weaponise a disclosed vulnerability before most orgs had applied the patch. Yet media briefings, even vendor blogs, lazily called them “zero day attacks.”
Or take MOVEit (CVE-2023-34362). Initially unknown to Progress Software, it briefly fit the old-school definition. But the moment a patch existed and was widely available, the term stuck, even as the real story shifted to terrible patch cadence and supply chain hygiene. Log4Shell (CVE-2021-44228) is another case: once Log4j maintainers released fixes, every unpatched instance was not “zero day” in any meaningful sense; it was a known, mitigated vulnerability being exploited against slow defenders.
The uncomfortable truth is that “zero day” has become a marketing word, not a technical one. Vendors use it in advisories to make a flaw sound exotic and terrifying. Resellers use it to justify expensive “zero day protection” tooling. Media uses it because it makes every vulnerability sound like a blockbuster movie. CISA nudges the same language when calling for urgency on KEV, even when the gap is not an unknown vulnerability but operational neglect.
NIST and CISA actually care about prioritisation, patch velocity, attack surface reduction, and configuration hygiene. Yet the industry’s narrative gets stuck on the mythic “unknown unknown” exploit, while the boring discipline of inventorying assets, enforcing patch SLAs, and validating mitigations gets treated as unglamorous.
At some point, calling any high-profile exploited bug a “zero day” becomes a confession: we’d rather talk about magic bullets and mystical exploits than admit that our basic cyber hygiene is broken.
So here is the question: if we stop hiding behind the “zero day lie,” and actually measure time-to-patch, patch coverage, and exploitability in our own environments, how many of our “unprecedented, novel attacks” would just look like predictable consequences of our own neglect?
More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber
Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.
Originally published at https://securitycyber.uk
Top comments (0)