Disagree. An 0-day is only a 0-day for 1 day after public disclosure. (and before)
It's a useful distinction. 0-days are special because your target has no idea such a vulnerability even exists. This makes them very different than known but still unpatched vulnerabilities.
How does that make them very different? The latest version of the software is still exploitable in either case. In my opinion, that is why it's useful to call them 0-days until they are patched.
Known vulnerabilities or weaknesses that don’t have patches are not 0-days. A 0-day is a vulnerability that you don’t know exists yet. That’s how the term is used in risk management and threat modelling. You don’t have 0-days that you’ve known about for 8 years. They’re just known risks.
varenc|5 years ago
It's a useful distinction. 0-days are special because your target has no idea such a vulnerability even exists. This makes them very different than known but still unpatched vulnerabilities.
dtho|5 years ago
AmericanChopper|5 years ago
tptacek|5 years ago
unknown|5 years ago
[deleted]