A zero-day is a security vulnerability that the software, firmware, or hardware vendor does not yet know about, and for which no patch exists. The name comes from the defender’s perspective: from the moment the flaw is being exploited, the vendor has had zero days to develop and ship a fix. NIST’s glossary defines a zero-day attack as “an attack that exploits a previously unknown hardware, firmware, or software vulnerability.”
The danger of a zero-day is that ordinary defenses assume known threats. Antivirus signatures, patch schedules, and advisories all rely on the vulnerability having been discovered and documented first. A true zero-day bypasses that entire model, because there is nothing to detect or patch against until someone finds and discloses it.
Because they are reliable and stealthy, zero-day exploits are valuable. Attackers, criminal groups, and government agencies pay for them. A market has grown around discovery and sale: legitimate vendors and bug-bounty programs buy flaws to fix them, while gray-market brokers and black-market sellers trade working exploits to buyers who want to use them. Prices for exploits against widely used platforms can reach six or seven figures.
Once a zero-day is disclosed or detected in the wild, it stops being a zero-day in the strict sense, because the vendor now knows about it. The race then shifts to patching: defenders rush to deploy a fix while attackers rush to exploit unpatched systems before the update spreads. This window is why prompt patching is a core security practice.