What is referred to as a zero-day vulnerability?

A zero-day vulnerability is defined as a flaw in software or hardware that is unknown to the vendor and for which no patch or fix is available at the time it is discovered or exploited. The term "zero-day" refers to the fact that developers have had zero days to address the flaw since becoming aware of it. This type of vulnerability poses a significant risk because attackers can exploit it before the vendor has the opportunity to rectify the issue, potentially leading to data breaches or system compromises.

In contrast, a flaw with an available patch is a known issue that has already been addressed by the vendor. A known security issue indicates that the vulnerability has been identified and is generally understood, which means mitigation strategies may be in place. Similarly, a vulnerability that has been publicly disclosed implies that the information about the flaw is available, allowing users to be aware and take precautions, but this does not necessarily mean it is still unpatched or that vendors were unaware of it. Thus, the correct understanding of what constitutes a zero-day vulnerability hinges on its unknown status to the vendor and the absence of a patch at the moment of exploitation.