Zero-Day Vulnerabilities: What They Are and Why They're Dangerous
A zero-day vulnerability is a security flaw in software that the vendor doesn't know about — and therefore hasn't patched. The name comes from the number of days the developer has had to fix it: zero. While it remains unpatched and unknown to defenders, attackers who know about it have a free pass into any system running the vulnerable software.
The Discovery-to-Patch Timeline
The lifecycle of a zero-day has several stages. Discovery — a researcher or attacker finds the vulnerability. Weaponisation — an exploit is written that turns the vulnerability into an attack tool. Deployment — the exploit is used in attacks. Disclosure — someone (ideally the researcher) tells the vendor. Development — the vendor creates a patch. Distribution — users install the patch. The dangerous window is everything between discovery and distribution.
In 2021, a zero-day in Microsoft Exchange Server (ProxyLogon) was exploited by Chinese state-sponsored hackers for months before Microsoft discovered it. Within 72 hours of Microsoft releasing a patch, over 30,000 US organisations had been compromised — attackers raced to exploit systems before patches could be applied. The patch existing doesn't help if nobody installs it.
The Zero-Day Market
Zero-day vulnerabilities in widely used software are valuable enough to buy and sell. Zerodium, a broker, publicly advertises prices: up to $2.5 million for a zero-day chain that achieves remote code execution on a fully patched iPhone with no user interaction. Governments and intelligence agencies are major buyers — they want exploits to use in offensive operations and don't want vendors to know about them.
That's a deliberate policy choice, not an oversight. When a government buys a zero-day and uses it operationally, they make a conscious decision not to disclose it to the vendor. Every organisation running that software remains vulnerable. This is the VEP (Vulnerabilities Equities Process) debate: should governments use or disclose vulnerabilities they find?
How to Reduce Your Exposure
You can't patch a zero-day before the patch exists. What you can do: reduce your attack surface by minimising exposed services and software, apply patches the day they're released (especially critical patches), use endpoint detection tools that look for exploit behaviour rather than known signatures, and segment your network so a compromise in one area doesn't spread instantly.
Responsible Disclosure: The Ethical Path
When a security researcher finds a zero-day, they face a choice: disclose publicly (dangerous), sell to a broker (lucrative but ethically complex), or notify the vendor privately and give them time to patch (responsible disclosure). The standard for responsible disclosure is 90 days — a timeline pioneered by Google's Project Zero team. If the vendor doesn't release a patch within 90 days of private notification, Project Zero publishes regardless.
The 90-day deadline is controversial. Vendors with complex codebases and release processes argue it's not enough time. Security researchers counter that unlimited disclosure timelines let vendors deprioritise patches indefinitely. The Google Project Zero data shows that the 90-day policy works — the overwhelming majority of vulnerabilities they report get patched within the deadline when vendors know the clock is ticking. The threat of public disclosure is, apparently, a good motivator.
Check Your IP and Port Exposure
See which services you have exposed to the internet — reducing surface area reduces zero-day risk.
Run Port ScanAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
TLS 1.3: What Changed and Why You Should Care
TLS 1.3 dropped a decade of accumulated cruft from its predecessor and came out faster, more secure, and harder to attack. Understanding what changed matters for anyone running web infrastructure.
SSL Certificates Explained Without the Jargon
SSL certificates enable HTTPS and underpin trust on the web. The certificate system is more complex — and more fragile — than the padlock icon suggests.
What Is a Botnet and How Your Device Could Be Part of One
Botnets are networks of compromised devices under attacker control. They power spam campaigns, DDoS attacks, and fraud — and your home device might be in one right now.
IP Spoofing: What It Is and How to Defend Against It
IP spoofing forges the source address on packets. It's the foundation of some of the most disruptive attacks on the internet — and it still works because basic filtering isn't universally deployed.
