Hubbry Logo
Zero-day vulnerabilityZero-day vulnerabilityMain
Open search
Zero-day vulnerability
Community hub
Zero-day vulnerability
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Zero-day vulnerability
Zero-day vulnerability
Zero-day vulnerability
View on Wikipedia
from Wikipedia

A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it.[1] Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.[2][3]

The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them.[4][5][6] Vendors who discover the vulnerability may create patches or advise workarounds to mitigate it – though users need to deploy that mitigation to eliminate the vulnerability in their systems. Zero-day attacks are severe threats.[7]

Definition

[edit]

Despite developers' goal of delivering a product that works entirely as intended, virtually all products contain software and hardware bugs.[8] If a bug creates a security risk, it is called a vulnerability. Vulnerabilities vary in their ability to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it.[9] Although the term "zero-day" initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available.[10][11][12] A zero-day exploit is any exploit that takes advantage of such a vulnerability.[9]

Exploits

[edit]

An exploit is the delivery mechanism that takes advantage of the vulnerability to penetrate the target's systems, for such purposes as disrupting operations, installing malware, or exfiltrating data.[13] Researchers Lillian Ablon and Andy Bogart write that "little is known about the true extent, use, benefit, and harm of zero-day exploits".[14] Exploits based on zero-day vulnerabilities are considered more dangerous than those that take advantage of a known vulnerability.[15][16] However, it is likely that most cyberattacks use known vulnerabilities, not zero-days.[14]

Governments of states are the primary users of zero-day exploits, not only because of the high cost of finding or buying vulnerabilities, but also the significant cost of writing the attack software. Nevertheless, anyone can use a vulnerability,[11] and according to research by the RAND Corporation, "any serious attacker can always get an affordable zero-day for almost any target".[17] Many targeted attacks[18] and most advanced persistent threats rely on zero-day vulnerabilities.[19]

In 2017, the average time to develop an exploit from a zero-day vulnerability was estimated at 22 days.[20] The difficulty of developing exploits has been increasing over time due to increased anti-exploitation features in popular software.[21]

Window of vulnerability

[edit]
Vulnerability timeline

Zero-day vulnerabilities are often classified as alive—meaning that there is no public knowledge of the vulnerability—and dead—the vulnerability has been disclosed, but not patched. If the software's maintainers are actively searching for vulnerabilities, it is a living vulnerability; such vulnerabilities in unmaintained software are called immortal. Zombie vulnerabilities can be exploited in older versions of the software but have been patched in newer versions.[22]

Even publicly known and zombie vulnerabilities are often exploitable for an extended period.[23][24] Security patches can take months to develop,[25] or may never be developed.[24] A patch can have negative effects on the functionality of software[24] and users may need to test the patch to confirm functionality and compatibility.[26] Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches.[24]

Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.[27] Cybercriminals can reverse engineer the patch to find the underlying vulnerability and develop exploits,[28] often faster than users install the patch.[27]

According to research by RAND Corporation published in 2017, zero-day exploits remain usable for 6.9 years on average,[29] although those purchased from a third party only remain usable for 1.4 years on average.[20] The researchers were unable to determine if any particular platform or software (such as open-source software) had any relationship to the life expectancy of a zero-day vulnerability.[30] Although the RAND researchers found that 5.7 percent of a stockpile of secret zero-day vulnerabilities will have been discovered by someone else within a year,[31] another study found a higher overlap rate, as high as 10.8 percent to 21.9 percent per year.[32]

Countermeasures

[edit]

Because, by definition, there is no patch that can block a zero-day exploit, all systems employing the software or hardware with the vulnerability are at risk. This includes secure systems such as banks and governments that have all patches up to date.[33] Security systems are designed around known vulnerabilities, and repeated exploitations of a zero-day exploit could continue undetected for an extended period of time.[24] Although there have been many proposals for a system that is effective at detecting zero-day exploits, this remains an active area of research in 2023.[34]

Many organizations have adopted defense-in-depth tactics so that attacks are likely to require breaching multiple levels of security, which makes it more difficult to achieve.[35] Conventional cybersecurity measures such as training and access control such as multi-factor authentication, least-privilege access, and air-gapping makes it harder to compromise systems with a zero-day exploit.[36] Since writing perfectly secure software is impossible, some researchers argue that driving up the cost of exploits is a good strategy to reduce the burden of cyberattacks.[37]

Market

[edit]
Main article: Market for zero-day exploits

Zero-day exploits can fetch millions of dollars.[11] There are three main types of buyers:[38]

  • White: the vendor, or to third parties such as the Zero Day Initiative that disclose to the vendor. Often such disclosure is in exchange for a bug bounty.[39][40][41] Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead. It is not uncommon to receive cease-and-desist letters from software vendors after disclosing a vulnerability for free.[42]
  • Gray: the largest[11] and most lucrative. Government or intelligence agencies buy zero-days and may use it in an attack, stockpile the vulnerability, or notify the vendor.[38] The United States federal government is one of the largest buyers.[11] As of 2013, the Five Eyes (United States, United Kingdom, Canada, Australia, and New Zealand) captured the plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran. Middle Eastern countries were poised to become the biggest spenders.[43]
  • Black: organized crime, which typically prefers exploit software rather than just knowledge of a vulnerability.[44] These users are more likely to employ "half-days" where a patch is already available.[45]

In 2015, the markets for government and crime were estimated at least ten times larger than the white market.[38] Sellers are often hacker groups that seek out vulnerabilities in widely used software for financial reward.[46] Some will only sell to certain buyers, while others will sell to anyone.[45] White market sellers are more likely to be motivated by non pecuniary rewards such as recognition and intellectual challenge.[47] Selling zero-day exploits is legal.[41][48] Despite calls for more regulation, law professor Mailyn Fidler says there is little chance of an international agreement because key players such as Russia and Israel are not interested.[48]

The sellers and buyers that trade in zero-days tend to be secretive, relying on non-disclosure agreements and classified information laws to keep the exploits secret. If the vulnerability becomes known, it can be patched and its value consequently crashes.[49] Because the market lacks transparency, it can be hard for parties to find a fair price. Sellers might not be paid if the vulnerability was disclosed before it was verified, or if the buyer declined to purchase it but used it anyway. With the proliferation of middlemen, sellers could never know to what use the exploits could be put.[50] Buyers could not guarantee that the exploit was not sold to another party.[51] Both buyers and sellers advertise on the dark web.[52]

Comparing the average prices of different kinds of exploits, 2015–2022

Research published in 2022 based on maximum prices paid as quoted by a single exploit broker found a 44 percent annualized inflation rate in exploit pricing. Remote zero-click exploits could fetch the highest price, while those that require local access to the device are much cheaper.[53] Vulnerabilities in widely used software are also more expensive.[54] They estimated that around 400 to 1,500 people sold exploits to that broker and they made around $5,500 to $20,800 annually.[55]

Disclosure and stockpiling

[edit]

As of 2017, there is an ongoing debate as to whether the United States should disclose the vulnerabilities it is aware of, so that they can be patched, or keep them secret for its own use.[56] Reasons that states keep a vulnerability secret include wanting to use it offensively, or defensively in penetration testing.[17] Disclosing the vulnerability reduces the risk that consumers and all users of the software will be victimized by malware or data breaches.[8]

The phases of zero-day vulnerability disclosure, along with a typical timeline, are as follows:

  1. Discovery: A researcher identifies the vulnerability, marking "Day 0".
  2. Reporting: The researcher notifies the vendor or a third party, starting remediation efforts.
  3. Patch development: The vendor develops a fix, which can take weeks to months depending on the complexity.
  4. Public disclosure: Once a patch is released, details are shared publicly. If no patch is issued within an agreed period (commonly 90 days), some researchers disclose it to push for action.

History

[edit]
Further information: List of cyberattacks and 2010s global surveillance disclosures

Zero-day exploits increased in significance after services such as Apple, Google, Facebook, and Microsoft encrypted servers and messages, meaning that the most feasible way to access a user's data was to intercept it at the source before it was encrypted.[33] One of the best-known use of zero-day exploits was the Stuxnet worm, which used four zero-day vulnerabilities to damage Iran's nuclear program in 2010.[14] The worm showed what could be achieved by zero-day exploits, unleashing an expansion in the market.[43]

The United States National Security Agency (NSA) increased its search for zero-day vulnerabilities after large tech companies refused to install backdoors into the software, tasking the Tailored Access Operations (TAO) with discovering and purchasing zero-day exploits.[57] In 2007, former NSA employee Charlie Miller publicly revealed for the first time that the United States government was buying zero-day exploits.[58] Some information about the NSA involvement with zero-days was revealed in the documents leaked by NSA contractor Edward Snowden in 2013, but details were lacking.[57] Reporter Nicole Perlroth concluded that "either Snowden’s access as a contractor didn’t take him far enough into the government’s systems for the intel required, or some of the government’s sources and methods for acquiring zero-days were so confidential, or controversial, that the agency never dared put them in writing".[59]

One of the most infamous vulnerabilities discovered after 2013, Heartbleed (CVE-2014-0160), was not a zero-day when publicly disclosed but underscored the critical impact that software bugs can have on global cybersecurity. This flaw in the OpenSSL cryptographic library could have been exploited as a zero-day prior to its discovery, allowing attackers to steal sensitive information such as private keys and passwords.[60]

In 2016 the hacking group known as The Shadow Brokers released a trove of sophisticated zero-day exploits reportedly stolen from the NSA. These included tools such as EternalBlue, which leveraged a vulnerability in Microsoft Windows' Server Message Block (SMB) protocol. EternalBlue was later weaponized in high-profile attacks like WannaCry and NotPetya, causing widespread global damage and highlighting the risks of stockpiling vulnerabilities.[61]

The year 2020 saw one of the most sophisticated cyber espionage campaigns to date, in which attackers exploited multiple vulnerabilities, including zero-day vulnerabilities, to compromise SolarWinds' Orion software. This allowed access to numerous government and corporate networks.[62]

In 2021 Chinese state-sponsored group, Hafnium, exploited zero-day vulnerabilities in Microsoft Exchange Server to conduct cyber espionage. Known as ProxyLogon, these flaws allowed attackers to bypass authentication and execute arbitrary code, compromising thousands of systems globally.[63]

In 2022 the spyware Pegasus, developed by Israel's NSO Group, was found to exploit zero-click vulnerabilities in messaging services like iMessage and WhatsApp. These exploits allowed attackers to access targets' devices without requiring user interaction, heightening concerns over surveillance and privacy.[64]

References

[edit]

Sources

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Zero-day vulnerability

View on Grokipedia
from Grokipedia
A zero-day vulnerability (also known as a 0-day) is a previously unknown security flaw in software, hardware, or firmware that remains unknown to the vendor, developers, or anyone capable of mitigating it, allowing exploitation before a patch or other defense exists. Such vulnerabilities pose severe risks because attackers can exploit them undetected, often leading to unauthorized access, , malware installation, or system compromise, with no immediate remedy available to defenders. The term "zero-day" refers to the fact that developers have had zero days to address the issue before exploitation occurs, creating a narrow window where threat actors hold a significant advantage. Zero-day vulnerabilities follow a lifecycle that begins when the flaw exists in released code but remains undetected, potentially for months or years. Discovery—whether by security researchers, defenders, or malicious actors—triggers a race: defenders work to develop patches while attackers may rapidly create and deploy exploits. In some cases, vendors are notified privately through responsible disclosure, but if attackers exploit the flaw first or sell it on black markets, widespread damage can occur before mitigation. Notable historical examples include Stuxnet, which leveraged multiple zero-days in Microsoft Windows to target industrial systems, and Log4Shell, a flaw in the Log4j library exploited across millions of devices before patches were widely applied. The rise of artificial intelligence amplifies these challenges in two key ways. First, AI-powered tools and large language models (LLMs) are increasingly capable of discovering zero-day vulnerabilities in traditional software at scale and speed far beyond human or conventional methods, as demonstrated by models identifying high-severity flaws in well-tested open-source codebases. Second, AI systems themselves introduce novel and unpredictable vulnerabilities due to emergent behaviors, learned properties from training data, model drift, and reliance on complex APIs or third-party integrations—vulnerabilities that do not fit traditional definitions and resist conventional patching or CVE processes. This makes AI security a new frontier akin to zero-day risks, where previously unseen classes of flaws can emerge from architectural novelty and dynamic behavior, outpacing current mitigation strategies. Countering zero-days requires layered defenses, including anomaly-based detection powered by machine learning, rapid patching, and proactive measures such as AI-driven vulnerability discovery to shift the balance toward defenders. As AI adoption accelerates, addressing these evolving threats demands new approaches to transparency, independent testing, and security-by-design principles tailored to intelligent systems.

Definition and terminology

Definition

A zero-day vulnerability (also known as a zero-day or 0-day) is a security flaw in software, hardware, or firmware that remains unknown to the vendor, developers, or other parties capable of mitigating it, and for which no patch, fix, or effective workaround has been created or deployed. The term "zero-day" refers to the number of days the vendor has known about the vulnerability—namely zero—before it is exploited or otherwise becomes a concern for mitigation. It is important to distinguish the zero-day vulnerability, which is the underlying security flaw itself, from a zero-day exploit, which is the malicious code, technique, or method that actively takes advantage of the flaw.

Etymology and naming conventions

The term "zero-day" (also written as "0-day", "zero day", or "0day") originated in the cybersecurity community to denote a security flaw about which the affected software vendor or developer has had zero days to learn of its existence and develop a patch or mitigation before it is exploited. This naming reflects the immediate and time-critical nature of such vulnerabilities, as the vendor's knowledge window is effectively zero at the moment of exploitation. The convention emphasizes the absence of prior awareness: the "zero" indicates that no time has passed for the responsible party to respond, distinguishing these flaws from vulnerabilities discovered through responsible disclosure, where the vendor receives advance notification. The term evolved in technical and hacker communities, where "0day" became a shorthand for newly discovered, unpatched exploits traded or discussed in underground forums and early exploit databases. Common naming variations include "zero-day vulnerability" to refer specifically to the underlying security flaw, and "zero-day exploit" to denote the weaponized code or technique that takes advantage of that flaw. While the terms are sometimes used interchangeably in popular media, technical literature often maintains this distinction to clarify that the vulnerability is the weakness itself, whereas the exploit is the active attack vector. The hyphenated form "zero-day" is now the most prevalent in professional security reports, academic papers, and mainstream media coverage. A zero-day vulnerability refers to a security flaw in software, hardware, or firmware that is unknown to the vendor or developers responsible for mitigating it, meaning no patch or fix exists at the time of potential exploitation. In contrast, a zero-day exploit is the malicious code, tool, or technique developed to actively take advantage of that specific vulnerability, often packaged as malware to enable unauthorized access or other harmful actions. Zero-day vulnerabilities differ from N-day vulnerabilities, which are publicly disclosed flaws for which a patch may be available but has not yet been widely applied or fully mitigated. The "N" denotes a variable period (often weeks or months) since disclosure, during which systems remain at risk if patching lags. One-day vulnerabilities represent a specific subset of N-day issues, typically where a patch exists but exploitation occurs rapidly—often within a day of disclosure—due to publicly released proof-of-concept code or automated scanning tools. Known-but-unpatched flaws generally align with N-day vulnerabilities, as they are documented risks that persist due to delays in remediation rather than complete ignorance of the issue. In cybersecurity risk management, zero-day vulnerabilities exemplify unknown unknowns—risks that are not only unforeseen but also unimaginable within current threat models. Unlike known vulnerabilities (whether patched or unpatched), zero-days evade signature-based detection and traditional defenses precisely because they lie outside existing knowledge and anticipation.

Lifecycle of a zero-day

Discovery phase

The discovery phase of a zero-day vulnerability involves the identification of previously unknown security flaws in software, hardware, or firmware through systematic technical investigation before the vendor or developers become aware. Primary discovery methods include reverse engineering, fuzzing, code audits, and behavioral analysis. Reverse engineering entails disassembling and analyzing binary code without access to source code to uncover hidden flaws. Fuzzing uses automated tools to supply invalid, unexpected, or random inputs to a program in hopes of triggering crashes or anomalous behavior that reveals vulnerabilities. Code audits range from manual static and dynamic analysis to in-depth logic reviews, often involving taint analysis or other techniques to trace and identify exploitable conditions. Behavioral analysis monitors runtime execution for deviations from expected patterns, helping detect flaws that manifest only under specific conditions. Advanced tools further enhance discovery capabilities. Symbolic execution explores multiple program paths mathematically to identify unreachable or vulnerable states without full execution. More recently, AI-assisted approaches, including large language models, have emerged to reason over codebases, analyze historical fixes, and pinpoint high-severity issues in well-tested software more efficiently than traditional methods in some cases. Key actors in zero-day discovery include independent security researchers, commercial security firms, nation-state entities, and malicious actors. Independent researchers and bug hunters often participate through bounty programs or private efforts. Security firms, such as those operating zero-day initiatives, employ specialists for systematic hunting. Nation-state agencies and their contractors invest heavily in finding vulnerabilities for strategic purposes. Malicious actors, including cybercriminals, also discover flaws for potential exploitation or sale. Once discovered, zero-day vulnerabilities may be sold or stockpiled rather than immediately disclosed.

Weaponization and stockpiling

Weaponization refers to the process of transforming a discovered zero-day vulnerability into a functional exploit, which involves developing reliable code capable of consistently triggering the flaw to achieve unauthorized actions such as or privilege escalation. This requires deep technical expertise, including reverse engineering the target system, crafting memory manipulation primitives, or ensuring stability across varied environments. Once weaponized, zero-day exploits may be stockpiled rather than disclosed. Nation-states and intelligence agencies commonly retain these capabilities for strategic purposes, including espionage, , or maintaining a deterrent effect against adversaries. Commercial surveillance vendors and some criminal groups also stockpile zero-days, either for sale on vulnerability marketplaces or for future exploitation. To increase reliability and bypass defenses, attackers sometimes combine multiple zero-day vulnerabilities into exploit chains, where sequential exploitation achieves broader objectives such as sandbox escape or system-level access that a single vulnerability might not enable. Such chains have been particularly prevalent in targeting mobile devices.

Exploitation phase

The exploitation phase of a zero-day vulnerability occurs when attackers actively deploy their exploit against live targets in the wild, typically after weaponization and before the vulnerability becomes publicly known or patched. During this phase, threat actors leverage the absence of mitigations or signatures to achieve unauthorized access and pursue their objectives, often with high success rates due to defenders' lack of prior awareness. Exploitation generally progresses through several interconnected stages. Initial access is achieved by delivering the exploit payload, often via , targeted phishing, compromised websites, or direct attacks on exposed systems, allowing attackers to bypass authentication and establish a foothold. Following initial compromise, attackers commonly pursue privilege escalation to obtain higher levels of control within the target environment. Persistence mechanisms are then implemented to maintain access even across reboots or partial remediation efforts, while lateral movement enables expansion across networks to reach additional systems or sensitive assets. These post-exploitation activities align with common advanced persistent threat behaviors but are enabled by the zero-day's unknown status, which prevents signature-based blocking during execution. Zero-day exploitation is particularly difficult to detect in real time because no known signatures or patches exist to flag malicious activity. Indicators often rely on behavioral anomalies rather than pattern matching, including unusual process spawning, unexpected outbound connections to command-and-control infrastructure, atypical system commands, deviations from baseline network traffic patterns, abnormal data exfiltration attempts, or signs of lateral movement and privilege escalation. Such anomalies may appear as legitimate activity in enterprise environments, especially when targeting networking or security appliances that lack comprehensive endpoint monitoring coverage. Attribution of zero-day exploitation poses significant challenges due to the stealth inherent in these attacks. The absence of prior indicators and the potential for prolonged undetected access obscure the origin of the activity, while advanced operational security practices by some actors further reduce traceability. In many tracked cases, only a portion of exploits can be confidently attributed to specific threat groups, complicating efforts to identify perpetrators and respond effectively. Many high-profile cyber incidents have involved zero-day exploitation during this phase (see Notable zero-day vulnerabilities and incidents for details).

Disclosure and patching

Disclosure and patching for zero-day vulnerabilities involves balancing the need to inform vendors and users of a security flaw with the risk of enabling exploitation by adversaries during the mitigation period. The primary approaches include coordinated (or responsible) disclosure, full disclosure, and no disclosure (also known as private or silent disclosure). In coordinated disclosure, researchers privately report the vulnerability to the vendor or a coordinator, allowing time for patch development before public release, whereas full disclosure publishes details immediately—often without a fix available—and no disclosure keeps the information secret, potentially for exploitation or stockpiling. Coordinated Vulnerability Disclosure (CVD) has emerged as the preferred framework, aiming to reduce adversary advantage while vulnerabilities are mitigated through a structured process that includes reporting, validation, remediation, and controlled public disclosure. CVD presumes benevolence on the part of reporters, avoids surprises in multi-party negotiations, and incentivizes cooperation by rewarding good behavior. The process typically involves discovery (by researchers), reporting to vendors or coordinators, validation and prioritization, remediation (such as patch development), public awareness, and deployment of fixes, continuing until risks are fully addressed. Government and industry bodies support CVD through dedicated programs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) operates a Coordinated Vulnerability Disclosure Program to collect, analyze, mitigate, and disclose vulnerabilities affecting critical infrastructure, coordinating with vendors to allow time for patches before public advisories and CVE assignment. If vendors are unresponsive, disclosure may occur as early as 45 days after initial contact. The CERT Coordination Center provides detailed guidance on CVD, emphasizing harm reduction, ethical reporting, and process improvement across roles including finders, reporters, vendors, deployers, and coordinators. Vendors typically receive a fixed period to develop and release patches following notification. Policies vary: Google Project Zero grants vendors 90 days to fix a vulnerability, followed by public disclosure 30 days after a patch is available (or immediately after 90 days if no patch exists), with a shorter 7-day timeline for actively exploited cases. Other programs, such as those from the Zero Day Initiative, allow up to 120 days for patch release. During this embargo, vendors validate the issue, develop fixes, test them, and prepare advisories, though complex vulnerabilities or supply-chain dependencies can extend timelines. Delayed patching can leave systems exposed to exploitation, particularly if the vulnerability is already in the wild.

Markets and economics

Vulnerability marketplaces

Vulnerability marketplaces are commercial ecosystems where zero-day vulnerabilities and associated exploits are bought and sold, often through specialized brokers acting as intermediaries between independent security researchers and buyers. These markets encompass gray and black segments, with gray markets involving semi-legitimate transactions primarily to government and defense entities, while black markets operate clandestinely on and anonymous channels to serve cybercriminals and other malicious actors. In the gray market, brokers purchase high-quality zero-day exploits from researchers and resell them at a profit to clients such as government agencies seeking capabilities for intelligence gathering, , or defense. A major known broker is Crowdfense, which provides substantial payouts to researchers. Crowdfense offers rewards reaching $5 million to $7 million for certain iPhone zero-day exploits (such as zero-click full chains) and up to $5 million for Android exploits, depending on factors like the target platform and exploit quality. Governments, including the , rank among the largest buyers in these markets. Pricing in these marketplaces is determined by multiple factors, including the popularity and market penetration of the affected software (with exploits for widely used systems like iOS or Windows commanding premiums), the exploit's reliability and stability, the level of privilege escalation (e.g., root or kernel access versus lower privileges), the attack vector (remote versus local), whether user interaction is required, and the exclusivity of the sale through confidentiality agreements. These elements combine to drive values into the millions of dollars for the most desirable exploits. , by contrast, lack oversight and accountability, facilitating sales through encrypted channels and cryptocurrency payments to a broader range of buyers, including criminal organizations. This segment poses heightened risks due to the absence of ethical constraints on end-use.

Bug bounty programs

Bug bounty programs are structured initiatives in which organizations offer financial rewards to ethical security researchers for discovering and responsibly reporting vulnerabilities in their software, hardware, or systems. These programs, often hosted on dedicated platforms, incentivize coordinated vulnerability disclosure while providing researchers with legal protections through safe harbor provisions. Major platforms facilitating such programs include HackerOne and Bugcrowd, which connect organizations with global communities of researchers and have collectively facilitated millions in payouts. Payouts vary significantly based on vulnerability severity, target criticality, and program scope, with critical vulnerabilities—often including previously unknown issues akin to zero-days—commanding the highest rewards. Bugcrowd recommends ranges for critical (P1) vulnerabilities such as from $3,500–$4,500 at the low end to $11,000–$20,000 at the high end, with industry-specific adjustments reaching $50,000 or more for cryptocurrency-related targets. Some programs offer even higher maximums; for example, Apple's Security Bounty program provides up to $2 million for critical vulnerabilities in its products. In contrast, lower-severity issues typically receive payouts in the hundreds to low thousands of dollars, reflecting lower impact. By offering legitimate compensation and structured disclosure pathways, bug bounty programs encourage researchers to report vulnerabilities to vendors rather than pursuing other avenues, thereby contributing to a reduction in the availability of undisclosed zero-day vulnerabilities in alternative markets. Platforms like HackerOne have paid out substantial sums—such as $81 million in rewards over a 12-month period—demonstrating the scale of incentives driving ethical disclosure.

Government and corporate acquisition

Governments and large corporations acquire zero-day vulnerabilities through discovery during research or operations, as well as purchases from independent security researchers and vulnerability brokers, often outside public disclosure channels for strategic, intelligence, or defensive purposes. In the United States, the federal government uses the (), an interagency framework coordinated by the National Security Council, to evaluate newly discovered or acquired zero-day vulnerabilities. The process involves submission to an Equities Review Board comprising representatives from agencies including the NSA, Department of Defense, Department of Justice, Department of Homeland Security, and others; the board assesses risks of disclosure versus retention, with a preference for dissemination to vendors for patching unless overriding interests in intelligence, law enforcement, or national security justify restriction. Retained vulnerabilities undergo annual reassessment, and the process prioritizes public cybersecurity while allowing temporary withholding for lawful government use. Agencies such as the NSA have historically maintained access to zero-days for , with groups like the Equation Group associated with stockpiling and use of such vulnerabilities. Government-held zero-days have sometimes leaked to unauthorized parties, resulting in public exposure. Corporations, particularly major technology firms such as and Google, may acquire zero-days defensively to identify and mitigate risks in their products, systems, or supply chains, though corporate practices typically emphasize rapid patching through bug bounty programs rather than long-term retention. Ethical and policy debates surround government retention of , with consequentialist arguments weighing national security benefits against risks of public harm from unpatched flaws, and non-consequentialist perspectives viewing stockpiling as inherently problematic when it exposes civilians to foreseeable dangers without their consent. Critics contend that withholding vulnerabilities violates ethical obligations to protect the public, while supporters argue for calibrated retention to enable vital intelligence and defense activities.

Exploitation techniques and attack vectors

Common exploitation methods

Common exploitation methods for zero-day vulnerabilities leverage specific software flaws to achieve , privilege escalation, or data manipulation. Attackers target classes of vulnerabilities that provide control over program flow or memory, often combining multiple techniques to overcome defenses. Memory corruption vulnerabilities remain the dominant category, serving as the root cause for approximately 68% of zero-day vulnerabilities exploited in the wild. These include buffer overflows, where excess data overwrites adjacent memory, and use-after-free errors, where freed memory is accessed after deallocation, enabling attackers to manipulate freed objects or execute arbitrary code. Such flaws are particularly exploitable in languages lacking built-in memory safety, like C and C++, and frequently lead to heap or stack corruption. Type confusion vulnerabilities arise when a program incorrectly interprets an object's type, allowing attackers to treat one data structure as another and induce memory corruption. This is especially prevalent in dynamic environments like JavaScript engines, where mispredictions in type handling can grant control over heap layouts and facilitate arbitrary code execution. Recent zero-days in browsers, including multiple instances in Chrome's V8 engine, have involved type confusion leading to heap corruption. Logic bugs and race conditions offer alternative paths. Logic bugs stem from flawed program assumptions, enabling unexpected states or behaviors, while race conditions exploit timing discrepancies in concurrent access, often in multi-threaded code, to force inconsistent memory views or privilege escalation. To bypass modern mitigations such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), attackers use advanced techniques. Return-Oriented Programming (ROP) chains short, legitimate instruction sequences ("gadgets") from existing code to construct malicious operations without injecting new code. JIT spraying floods memory with attacker-controlled constants during just-in-time compilation, increasing predictability of code locations in JIT environments like browsers. These methods appear in notable zero-day incidents discussed elsewhere in the article.

Delivery mechanisms

Zero-day exploits require effective delivery to reach and compromise vulnerable systems, with attackers employing a range of vectors tailored to the target's environment and the exploit's characteristics. These mechanisms aim to introduce the exploit code or trigger its execution, often bypassing user awareness or traditional defenses. Spear-phishing remains one of the most common delivery vectors, involving targeted emails that trick recipients into opening malicious attachments or clicking links, which then exploit zero-day vulnerabilities in document viewers or browsers. Attackers craft these messages to appear legitimate, exploiting vulnerabilities in email clients or attached file formats such as PDFs or Microsoft Office documents. Watering hole attacks compromise legitimate websites frequented by targeted groups, injecting exploit code that executes automatically when users visit the site, often targeting browser or plugin vulnerabilities. Drive-by downloads operate similarly, delivering exploits through malicious web pages that automatically download and run code without user consent. Browser exploits, in particular, target rendering engines or JavaScript components to achieve via compromised or malicious sites. Supply chain compromises insert exploits into trusted software updates, hardware components, or third-party libraries, enabling widespread delivery when victims install or use the affected products. These attacks leverage the implicit trust in established distribution channels. Zero-click exploits represent the most stealthy delivery method, requiring no user interaction whatsoever. They exploit vulnerabilities in applications that automatically process incoming data, such as messaging platforms, email clients, or phone software, allowing malicious code to execute upon receipt of specially crafted messages or calls. These delivery mechanisms have appeared in various high-profile zero-day incidents, illustrating their effectiveness across targeted and opportunistic campaigns.

Post-exploitation behavior

After gaining initial access through exploitation of a zero-day vulnerability, attackers typically proceed to post-exploitation activities aimed at expanding their foothold, achieving persistence, and fulfilling their objectives while remaining undetected. These actions leverage the compromised system or network to deploy malicious payloads, move laterally, escalate privileges, and extract data. Payload deployment often occurs immediately after initial access, with attackers installing backdoors, ransomware, spyware, or other malware to maintain control and execute further malicious operations. Backdoors such as web shells provide a persistent channel for command execution, while ransomware encrypts files and displays ransom demands to extort victims. Spyware and other implants enable long-term monitoring or data collection. Attackers frequently perform privilege escalation to gain higher-level access, such as SYSTEM privileges, and conduct lateral movement to pivot across the network, compromising additional hosts or resources. This expansion allows them to reach sensitive assets or spread their presence more broadly. Data exfiltration involves collecting and transmitting sensitive information from compromised systems, often after credential harvesting or file access. Persistence mechanisms, including scheduled tasks, registry modifications, or injected processes, ensure continued access even after reboots or initial detection attempts. These behaviors appear consistently in major zero-day incidents.

Notable zero-day vulnerabilities and incidents

Historical landmark cases

One of the earliest high-profile examples of zero-day exploitation in the late 2000s involved client-side vulnerabilities in web browsers. Operation Aurora, which began in 2009 and was publicly disclosed in January 2010, exploited a previously unknown vulnerability in Microsoft Internet Explorer to deliver malware such as Trojan.Hydraq. The attack targeted over 30 major companies, including Google, Adobe, , and Yahoo, resulting in the theft of intellectual property such as source code and unauthorized access to sensitive data. This sophisticated campaign, attributed to advanced persistent threat actors possibly linked to state sponsorship, demonstrated the effectiveness of zero-day exploits in targeted cyber espionage and highlighted the dangers of relying on unpatched browser flaws for initial access. The incident prompted significant shifts in corporate security practices, including greater focus on protecting source code repositories, implementing behavioral anomaly detection, and reevaluating assumptions about network perimeter defenses against advanced threats. It also contributed to broader discussions on cyber espionage and influenced diplomatic responses, such as U.S. statements on . A landmark case that redefined the potential of zero-day vulnerabilities occurred in 2010 with the discovery of Stuxnet. This sophisticated worm exploited four zero-day vulnerabilities in Microsoft Windows operating systems and leveraged vulnerabilities in Siemens STEP 7 engineering software to infiltrate air-gapped networks and modify the code running on Siemens programmable logic controllers, sabotaging uranium enrichment centrifuges at Iran's Natanz facility. By manipulating centrifuge speeds while falsifying sensor data, Stuxnet caused physical damage and delayed Iran's nuclear program, marking the first known instance of a achieving measurable real-world destruction. Stuxnet's revelation fundamentally altered the understanding of zero-day threats, proving that such vulnerabilities could be weaponized to bridge digital and physical domains in nation-state operations. It heightened global awareness of risks and spurred advancements in critical infrastructure protection, specialized malware analysis, and defensive strategies against . These foundational cases collectively drove the security industry's evolution toward proactive vulnerability management, accelerated patching processes, and increased investment in threat intelligence to counter increasingly capable adversaries. Later incidents built upon the techniques pioneered in these exploits, further emphasizing the persistent challenge of unknown vulnerabilities.

Recent high-profile exploits

Several high-profile zero-day exploits have marked the 2020s, illustrating the severe consequences when previously unknown flaws in widely deployed software are weaponized by advanced actors. In December 2021, the Log4Shell vulnerability (CVE-2021-44228), a critical flaw in Apache's Log4j logging library (versions 2.0-beta9 to 2.14.1), was disclosed and actively exploited in the wild almost immediately. The flaw allowed unauthenticated attackers to execute arbitrary code via JNDI lookups in logged data, impacting millions of Java-based applications across industries and prompting global emergency patching and mitigation efforts. Mercenary spyware vendors have also driven zero-day exploitation against consumer platforms. NSO Group's Pegasus spyware deployed multiple zero-click exploit chains against iOS devices in 2022, including PWNYOURHOME (targeting HomeKit and iMessage on iOS 15/16), FINDMYPWN (leveraging Find My and iMessage on iOS 15), and LATENTIMAGE (affecting iOS 15.1.1), enabling remote infection without user interaction and targeting civil society figures globally. Similar commercial spyware operations have exploited zero-day chains in Google's Chrome browser and Android kernel components. These incidents highlight the persistent challenges in defending against zero-day exploits in trusted software, open-source libraries, and mobile ecosystems.

Patterns across major incidents

Analysis of major zero-day incidents reveals several recurring patterns in exploitation strategies and threat actor behaviors. One prominent trend is the increasing use of zero-day chains, where attackers combine multiple vulnerabilities—often a mix of zero-days and n-days—to achieve reliable compromise. Such chains are particularly common in mobile device exploits, where exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices. Commercial spyware campaigns have frequently employed these chains, linking with sandbox escapes and privilege escalations to deploy surveillance payloads. Another observed pattern is the rise in supply-chain and third-party component attacks, where adversaries exploit vulnerabilities in widely used libraries, dependencies, or vendor ecosystems to affect multiple victims indirectly. Third-party components in platforms like Android have been repeatedly targeted, with three of seven Android zero-days exploited in 2024 affecting such elements. Broader data shows zero-day and supply-chain attacks significantly drove data breach volumes in 2023, with zero-day incidents surging from eight in 2022 to 110 in 2023. A further trend involves the growing role of commercial spyware vendors (also known as commercial surveillance vendors or CSVs) in discovering and exploiting zero-days. These entities, which sell tools primarily to government clients, were responsible for a substantial portion of zero-days targeting popular platforms; for instance, they accounted for half of known in-the-wild zero-days affecting Google products and Android since mid-2014, with conservative estimates placing their involvement even higher due to undetected cases. In 2024, eight zero-day exploitations were attributed to CSV customers. This proliferation reflects the expanding surveillance industry, where vendors develop advanced exploit capabilities previously limited to .

Mitigation and defense strategies

Preventive engineering practices

Preventive engineering practices focus on integrating security into the to minimize the introduction of vulnerabilities that could become zero-days. A key approach is the adoption of a Secure Software Development Lifecycle (SDL), which embeds security practices across all development phases, from design through deployment. This includes threat modeling, secure coding standards, code reviews, and security testing to identify and remediate issues early, thereby reducing the likelihood of vulnerabilities entering production. The use of memory-safe programming languages represents a fundamental preventive measure, as these languages eliminate entire classes of memory corruption vulnerabilities by design through mechanisms such as automatic memory management and bounds checking. Memory safety issues account for approximately 70% of vulnerabilities in major projects and a significant portion of zero-day exploits; transitioning to languages like Rust, Go, , and Python has demonstrably reduced such vulnerabilities in large-scale codebases. Compiler hardening techniques and runtime protections further strengthen defenses. Data Execution Prevention (DEP) prevents the execution of malicious code injected into non-executable memory regions, while Address Space Layout Randomization (ASLR) randomizes memory locations to make exploits relying on predictable addresses more difficult. These mitigations complicate exploitation even when vulnerabilities exist. Fuzzing and static/dynamic analysis tools proactively identify defects during development. Fuzz testing injects malformed inputs to uncover hidden bugs that conventional testing might miss, enabling fixes before release and reducing the risk of zero-day exploits. scans source code for potential vulnerabilities, while dynamic analysis observes runtime behavior to detect issues. Conventional preventive practices such as these are less effective against emergent vulnerabilities in artificial intelligence systems, where unpredictable behaviors may introduce novel flaws.

Detection and monitoring approaches

Detection of zero-day vulnerabilities relies on approaches that do not depend on prior knowledge of the specific flaw or signatures, as attackers exploit previously unknown security holes before patches exist. These methods focus on identifying exploitation attempts through observation of anomalous behavior or blocking common exploitation techniques at runtime. Behavioral detection and form a core strategy by establishing baselines of normal system, application, or network activity and flagging deviations that may indicate exploitation. Techniques include real-time monitoring for unusual patterns such as rapid file encryption, unexpected process behavior, or abnormal script execution. Machine learning models enhance this capability; for instance, one-class support vector machines and autoencoders train on normal data to detect outliers, while ensemble methods like Kitsune use multiple autoencoders for unsupervised anomaly scoring. Effectiveness varies by attack type—higher for distinct anomalies (e.g., DDoS) and lower for subtle ones (e.g., infiltration)—but these approaches demonstrate promise in identifying zero-day activity without signatures. Emerging AI-based anomaly detection builds on these foundations and is increasingly applied in complex systems. Exploit mitigation technologies apply runtime protections to disrupt common exploitation techniques, even against unknown vulnerabilities. 's Exploit Protection (successor to the deprecated Enhanced Mitigation Experience Toolkit, EMET) includes mitigations such as Control Flow Guard (CFG), which validates indirect calls to prevent control-flow hijacking (e.g., return-oriented programming), and Arbitrary Code Guard (ACG), which blocks dynamic code allocation and execution to stop code injection attempts. Additional features like Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), and Address Space Layout Randomization (ASLR) enhancements further hinder memory corruption exploits by enforcing memory integrity and randomization. These operate at the system or application level and can block zero-day exploitation by targeting the mechanisms attackers use rather than the vulnerability itself. Endpoint detection and response (EDR) solutions provide comprehensive monitoring and response capabilities on endpoints, integrating behavioral analysis, process monitoring, and real-time threat hunting to identify zero-day exploits. EDR tools detect suspicious activities such as unusual process handle requests or memory anomalies, enabling rapid isolation, quarantine, or termination of malicious processes. They often combine machine learning, sandboxing, and threat intelligence to address fileless attacks, ransomware, and advanced persistent threats that evade traditional defenses.

Rapid response and patching

When a zero-day vulnerability is discovered, especially under active exploitation, vendors and affected organizations initiate rapid response processes to minimize exposure. Vendors frequently issue emergency out-of-band patches to address the flaw quickly, bypassing standard release cycles. Best practices recommend deploying such emergency patches within 48-72 hours when possible, prioritizing critical and internet-facing systems to reduce the window of exploitation. Organizations often follow structured timelines, such as 72-hour response plans, to manage the process. These plans typically begin with rapid assessment of affected assets and exposure, followed by hardening measures and efficient patch deployment. Automated patch management tools facilitate prioritized deployment while incorporating testing in isolated environments and change controls to avoid disruptions. Before patches are available, temporary mitigations play a critical role in reducing risk. These include vendor-recommended workarounds such as disabling vulnerable features or services, applying configuration changes (e.g., registry-based kill bits to block specific components), implementing firewall rules, restricting network access, or using application allowlisting. During active exploitation, coordination between vendors, affected organizations, and computer emergency response teams (CERTs) is essential. Vendors provide advisories and patches, while CERTs issue guidance, track exploitation, and facilitate information sharing to support containment efforts across affected parties. In emerging technologies like artificial intelligence systems, rapid patching can be more challenging due to complex architectures and unpredictable behaviors. (Brief reference only; detailed challenges are addressed in other sections.)

Zero-days in emerging technologies

Vulnerabilities in artificial intelligence systems

Artificial intelligence (AI) systems, particularly those based on machine learning (ML) and deep learning (DL), introduce novel zero-day vulnerabilities arising from their data-driven nature, complex architectures, and opaque decision-making processes. These vulnerabilities exploit previously unknown flaws in algorithms, training data, or inference mechanisms before developers or vendors can discover or patch them. Major attack surfaces include data poisoning attacks, where adversaries inject malicious samples into training datasets to degrade model performance, induce targeted misclassifications, or skew outputs in ways that compromise system integrity. Such attacks can involve label flipping, feature manipulation, or feedback weaponization, often leading to real-world risks in domains like autonomous vehicles or medical diagnostics. Adversarial input attacks constitute another critical surface, involving carefully crafted perturbations to inputs that cause models to produce incorrect outputs despite appearing normal to humans. These can be white-box (full model access), black-box (output-only access), or grey-box, with examples including altered stop signs misclassified by self-driving car systems or perturbed images fooling object recognition. In large language models, prompt injection attacks exploit instruction-following behavior by embedding malicious directives in inputs to override intended safeguards, , or execute unauthorized actions, representing a persistent exploit vector in generative AI systems. The black-box and non-deterministic nature of many AI models amplifies the "unknown-unknown" problem, as internal mechanisms remain opaque and emergent behaviors from complex interactions can produce unpredictable vulnerabilities difficult to anticipate through conventional testing.

Challenges in securing complex and autonomous systems

Securing complex and autonomous systems poses substantial difficulties that extend beyond conventional cybersecurity approaches, particularly in environments integrating advanced AI/ML components with cyber-physical elements. Traditional secure development practices, which emphasize static code analysis, vulnerability scanning of source files, and predictable release cycles, prove inadequate for AI/ML systems due to their dynamic nature. These systems involve unique stages such as data preprocessing, model training, iterative learning, and binary model deployment, introducing complexities like neural network graphs, model weights, and evolving pipelines that traditional tools cannot effectively analyze or secure. For instance, conventional AppSec methods lack capabilities for scanning binary model files (.pt, .onnx), detecting architectural backdoors in neural networks, or addressing AI-specific supply chain risks, leaving gaps in protection against emerging threats. Patching and updating autonomous systems, including self-driving vehicles and , encounter severe logistical and technical obstacles stemming from their distributed, multi-vendor architectures. Modern vehicles often contain 70 to 100 Electronic Control Units (ECUs) with over 100 million lines of code, developed by numerous suppliers, complicating coordinated security updates and increasing risks from outdated components that can serve as gateways for attacks, including . Secure over-the-air (OTA) mechanisms are critical but frequently unfeasible for resource-constrained or legacy devices, while the safety-critical nature of these systems limits opportunities for downtime or manual intervention, heightening exposure to persistent vulnerabilities. These inherent complexities necessitate a shift toward novel security paradigms, such as runtime verification and AI-assisted mechanisms, to enable real-time monitoring, autonomous incident response, and dynamic risk assessment during operation. Runtime approaches allow systems to react instantaneously to threats without human involvement, leveraging machine learning for processing vast data volumes and adapting to unforeseen attacks, while addressing limitations of centralized security operations that suffer from connectivity issues and delayed response times. Such innovations aim to enhance resilience in heterogeneous, no-human-in-the-loop environments where traditional static defenses fall short. These challenges in securing complex and autonomous systems further exacerbate the zero-day threat landscape, particularly in emerging AI-integrated technologies.

References

  1. https://www.ibm.com/think/topics/zero-day
  2. https://www.hpe.com/us/en/what-is/zero-day-vulnerability.html
  3. https://csrc.nist.gov/glossary/term/zero_day_attack
  4. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/zero-day-exploit/
  5. https://www.fortinet.com/resources/cyberglossary/zero-day-attack
  6. https://red.anthropic.com/2026/zero-days/
  7. https://www.f5.com/company/blog/nginx/ai-zero-days-are-here-what-cisos-need-to-know
  8. https://www.techuk.org/resource/ai-security-is-the-new-zero-day-and-we-re-not-ready.html
  9. https://www.sei.cmu.edu/blog/like-nailing-jelly-to-the-wall-difficulties-in-defining-zero-day-exploit/
  10. https://success.qualys.com/support/s/article/000002884
  11. https://oit.utk.edu/security/learning-library/article-archive/zero-day-vulnerabilities/
  12. https://www.techtarget.com/searchsecurity/answer/The-difference-between-zero-day-vulnerability-and-zero-day-exploit
  13. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/zero-day-vulnerabilities-attacks/
  14. https://fieldeffect.com/blog/1-day-0-day-vulnerabilities-explained
  15. https://www.darkreading.com/vulnerabilities-threats/the-overlooked-problem-of-n-day-vulnerabilities
  16. https://jfrog.com/learn/devsecops/zero-day-vulnerability/
  17. http://www.umiacs.umd.edu/user.php?path=tudor/courses/ENEE657/Fall17/papers/Ablon17.pdf
  18. https://www.cynet.com/zero-day-attacks/
  19. https://www.wiz.io/academy/detection-and-response/zero-day-exploits
  20. https://www.offsec.com/cybersecurity-roles/exploit-developer/
  21. https://cyber.army.mil/News/Article/1325442/stockpiling-zero-day-exploits-the-next-international-weapons-taboo/
  22. https://contemporarysecuritypolicy.org/zero-day-vulnerabilities-are-powerful-cyber-weapons-use-them-or-patch-them/
  23. https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends
  24. https://www.csoonline.com/article/571799/exploit-chains-explained-how-and-why-attackers-target-multiple-vulnerabilities.html
  25. https://www.oligo.security/academy/the-zero-day-vulnerability-lifecycle-5-defensive-measures
  26. https://exeon.com/blog/how-to-detect-zero-day-exploits/
  27. https://www.acalvio.com/resources/glossary/introduction-to-zero-day-attacks-acalvio/
  28. https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html
  29. https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_in_a_nutshell/
  30. https://www.cisa.gov/resources-tools/programs/coordinated-vulnerability-disclosure-program
  31. https://projectzero.google/vulnerability-disclosure-policy.html
  32. https://www.packetlabs.net/posts/demystifying-the-market-for-zero-day-software-exploits/
  33. https://insights.manageengine.com/it-security/zero-day-brokerage-exploits/
  34. https://www.crowdfense.com/exploit-acquisition-program/
  35. https://policyreview.info/articles/analysis/navigating-vulnerability-markets-and-bug-bounty-programs
  36. https://www.bleepingcomputer.com/news/security/hackerone-paid-81-million-in-bug-bounties-over-the-past-year/
  37. https://www.bugcrowd.com/wp-content/uploads/2023/11/Whats-A-Vulnerability-Worth_eBook.pdf
  38. https://appsentinels.ai/blog/bug-bounty-programs-2025-definition-platforms-costs/
  39. https://archive.epic.org/privacy/cybersecurity/vep/
  40. https://trumpwhitehouse.archives.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF
  41. https://www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zero-days/
  42. https://cacm.acm.org/research/the-ethics-of-zero-day-exploits/
  43. https://projectzero.google/0day.html
  44. https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue
  45. https://repository.gatech.edu/bitstreams/12f79bdf-bb3a-420e-946f-b8c69e1d8a26/download
  46. https://www.paloaltonetworks.com/cyberpedia/zero-day-attacks-explained-risks-examples-prevention
  47. https://www.oligo.security/academy/zero-day-attack-definition-lifecycle-and-5-devastating-examples
  48. https://www.checkpoint.com/cyber-hub/cyber-security/what-is-a-zero-click-attack/
  49. https://virsec.com/glossary/what-is-zero-day-exploit/
  50. https://www.group-ib.com/resources/knowledge-hub/zero-day-exploit/
  51. https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/
  52. https://outpost24.com/blog/top-zero-day-exploits-2025/
  53. https://www.sciencedirect.com/topics/computer-science/operation-aurora
  54. https://www.csoonline.com/article/562691/stuxnet-explained-the-first-known-cyberweapon.html
  55. https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance
  56. https://citizenlab.ca/research/nso-groups-pegasus-spyware-returns-in-2022/
  57. https://www.malwarebytes.com/blog/news/2022/05/zero-day-vulnerabilities-in-chrome-and-android-exploited-by-commercial-spyware
  58. https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/
  59. https://www.csoonline.com/article/1298730/zero-day-supply-chain-attacks-drove-data-breach-high-for-2023.html
  60. https://securityaffairs.com/158750/hacking/commercial-spyware-vendors-zero-day.html
  61. https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-security-development-lifecycle-sdl/4146661
  62. https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products
  63. https://security.googleblog.com/2024/10/safer-with-google-advancing-memory.html
  64. https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference
  65. https://www.blackduck.com/glossary/what-is-fuzz-testing.html
  66. https://www.opswat.com/blog/zero-day-detection-how-to-identify-and-prevent-attacks
  67. https://pmc.ncbi.nlm.nih.gov/articles/PMC9890381/
  68. https://learn.microsoft.com/en-us/defender-endpoint/enable-exploit-protection
  69. https://www.darkreading.com/vulnerabilities-threats/microsoft-rushes-emergency-patch-office-zero-day
  70. https://www.esecurityplanet.com/threats/microsoft-issues-emergency-patch-for-active-office-zero-day/
  71. https://securityscorecard.com/blog/patch-cadence-and-management-best-practices/
  72. https://baconunlimited.com/zero-day-vulnerability-response-plan/
  73. https://orca.security/resources/blog/cve-2026-21509-microsoft-office-zero-day-exploit/
  74. https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-zero-day-vulnerabilities
  75. https://cert.europa.eu/publications/security-advisories/2025-028/
  76. https://www.orangecyberdefense.com/global/blog/cert-news/sharepoint-zero-day
  77. https://papers.academic-conferences.org/index.php/eccws/article/download/2310/2134/8520
  78. https://www.ibm.com/think/topics/adversarial-machine-learning
  79. https://www.obsidiansecurity.com/blog/prompt-injection
  80. https://versprite.com/blog/still-obedient-prompt-injection-in-llms-isnt-going-away-in-2025/
  81. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2025.pdf
  82. https://www.nextsec.ai/ai-application-security-vs-traditional-appsec-key-differences-and-challenges/
  83. https://www.darkreading.com/vulnerabilities-threats/adapting-security-to-protect-ai-ml-systems
  84. https://arxiv.org/html/2312.00018v2
  85. https://fidoalliance.org/white-paper-addressing-cybersecurity-challenges-in-the-automotive-industry/
Add your contribution
Related Hubs
User Avatar
No comments yet.