The term zero-day is ubiquitous in cybersecurity. Yet, like many of our terms, it means different things to different people. This can be problematic - the more our terms lack common meaning, the more we risk miscommunication1.

Anthropic’s Mythos has brought discussions of vulnerabilities to the forefront of cybersecurity discussions and into mainstream conversations, making this an opportune time to discuss and clarify terms like zero-day.

A zero-day is, first and foremost, a case of information asymmetry. An adversary knows something its target does not. When it is more broadly discovered that an unknown vulnerability has been used against targets, it is said to be a ‘zero-day’, because it has been zero days since it was discovered.

Definitions

Here’s what I came up with after reviewing over a dozen definitions from a wide variety of sources2. There were more disagreements than agreements.

• A software bug is a defect in software3.

• A software vulnerability is an exploitable software bug that could cause harm if exploited by adversaries.

• A zero-day vulnerability is an exploitable flaw in software or systems that is unknown to defenders and could cause harm if exploited by adversaries.

Why is this important?

The term zero-day should evoke a need for immediate action. This urgency is lost if we apply this term to every newly discovered vulnerability.

Anthropic, in its announcement of Mythos, defined zero-day vulnerabilities as:

“bugs that were not previously known to exist.”

The narrative that all software bugs are dangerous is problematic because it could draw resources away from more impactful and important security work.

When does a zero day stop being a zero day?

A zero-day vulnerability ceases to be a zero-day when defenders gain enough knowledge to mitigate the vulnerability.

Conclusion

As the rate of vulnerability discovery increases, it is more important than ever to identify truly dangerous vulnerabilities. The term zero-day should be reserved for vulnerabilities that demand immediate focus and response. Kim Zetter’s hall-of-fame book on Stuxnet is titled Countdown to Zero Day because zero-day vulnerabilities are dangerous. At the time, it was unheard of for a piece of malware to use multiple zero-day vulnerabilities4.

AI companies are now security companies. The same caution we take with security vendor hyperbole now needs to be applied to security claims from OpenAI and Anthropic as both struggle to justify their lofty valuations. It clearly benefits foundation AI companies to lock software companies into an endless cycle of AI generated code, AI-driven scans, and AI-generated fixes. On that topic, I have another post: