A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it. If someone publishes a PoC, it is not a 0-day, just a vulnerability.

▲

Retr0id 3 hours ago | parent | next [-]

No, the days start counting from the availability of a patch.

	▲	rmast 2 hours ago \| parent \| next [-]
		I was thinking that the other definition was right and this correction was wrong. Then I did some searching and found multiple examples of both definitions in use, making things murky. So I turned to Merriam-Webster’s dictionary: “ of, relating to, or being a vulnerability (as in a computer or computer system) that is discovered and exploited (as by cybercriminals) before it is known to or addressed by the maker or vendor” And of course they use an “or” to make it ambiguous as to whether the days start counting when the vulnerability becomes known, or when the vendor has addressed it.
	▲	0123456789ABCDE 2 hours ago \| parent \| prev [-]
		what if a path is never released?

▲

richbell 2 hours ago | parent | prev | next [-]

I've only heard it used as Retr0id's definition.

▲

cubefox 41 minutes ago | parent | prev [-]

> A friendly reminder that a 0-day is a vulnerability that wasn't known until after a malicious actor exploited it.

No, the full name was always "zero-day exploit". The number 0 refers to the days between the vulnerability being known by the vendor and the public availability of the exploit. So the vendor has zero days to create a security patch before the release of the exploit.

The term "zero-day vulnerability" is a derived term to refer to a vulnerability affected by a zero-day exploit. Similarly, a "zero-day attack" is a derived term to refer to an attack carried out using a zero-day exploit.