Does "zero-day" or "0-day" (in context of software vulnerabilities and exploits) refer to the software release, or a particular type of exploit?
[I did not find an answer to this on SO. Though it is answered elsewhere on the Internet, my understanding of SO is that it's okay to ask/answer basic questions]
Simply put it means that it [the exploit] was released before the company was notified, and had the opportunity to fix it, because the company had 0-days of notification.
Wikipedia has two entries which are relevant:
This is kind of a pet peeve of mine because people usually get this so wrong, and then back up their claim by linking to a PHB executive summary that is also wrong (usually written by a journalist who got their knowledge through word of mouth and really doesn't understand security all that well.)
The term zero-day started in the warez scene. Back when software only had physical releases, warez groups (collectively, the "warez scene") prided themselves on releasing cracked copies of software (especially games) earlier than the other groups (and to this day, they still do.) If they distributed (with a crack if it had copy protection) it on the same day as the release, they would call that 0-day warez. Being able to crack the software on the same day they got it was also seen as a mark of being a skilled cracker.
Eventually this extended to warez releases that came BEFORE the release date of the software, which was usually done by a member of the group obtaining a copy from either a retail distribution center or store that they worked at before the official sale date. These were also labeled as 0-day releases until the day AFTER the retail release date has passed.
The crackers who broke the copy protection tended to have both the means and motive to find vulnerabilities in software of all stripes. They would develop exploits that they then termed 0-day exploits. These remained labeled as 0-day exploits until the day after a patch was released by the software developer, prior to which they were the most useful. Naturally, the professional side of cybersecurity had to "know thy enemy" so to speak, so they would of course learn the language, including slang terms like "zero day" (as well as many other slang terms like "fraggle", "smurf", etc, that are also commonly found in cybersecurity textbooks.)
So, and here's where this becomes my opinion, it's best to describe the term "zero day" thus: The day of or before a relevant software release. In other words, zero full days have passed since the release.
What that means, exactly, depends on the context. I described the context of warez already. In the context of a vulnerability (meaning software flaw or bug that is open to exploitation) that doesn't mean the day the software developer is aware of it. In fact it turns out, that many vulnerabilities are known by the vendor but also haven't been patched by the time they've been exploited in the wild. Recent example:
https://www.zdnet.com/article/everything-you-need-to-know-about-microsoft-exchange-server-hack/
In other words, that exchange vulnerability was known about three months prior to Microsoft issuing a patch, and was being exploited in the wild for at least a few weeks prior. It remained a zero-day exploit until the day after Microsoft had issued a patch (in other words, it has been zero full days since a patch was released.)
The idea of the definition being 0-days of notification, or 0-days to respond, is bogus for a few reasons:
Thus, it only makes sense to refer to zero day in relation to the day when a patch is released.
A zero-day vulnerability or attack means that an exploit has been found active in the "wild" without being announced or the developers notified.
A zero-day exploit or vulnerability is an exploit for a bug that is not known to the general public (i.e. no patch was released for it).
Three major uses of "Zero Day"
I personally was aware of the third sense before the other two.
Zero-day should be defined as exploits written to activate on machines simultaneously at a particular date/time or based on a certain condition or external signal, such as Stuxnet.
Web pages seem to be defining zero-day as vulnerabilities merely not known to the public, or company, nor fixed yet. That doesn't make sense because it describes 100% of them for at least a part of the life cycle of the flaw. Hackers don't announce their attacks before putting them in place, that would be pretty stupid, the term is meaningless under many of the definitions out there because it would apply to just about any security bug.
As the author of an encryption program, I'd say it is of course sexier to say zero-day than security bug. However it should not be popularly used in relation to the flaw (that's the big mistake), instead, as particular types of attacks. A security bug can be exploited immediately or used to cause something to happen later, on "zero-day".
Kaspersky about zero-day: "Exploit occurs when a system weakness is discovered and attacked within a day". In other words, they are saying the hacker accomplished their task within 24 hours after finding the flaw. How do they know? Are they sitting at the desk of the hacker with a stopwatch? In this case, the flaw is in the definition.
Ground zero is where something terrible happens.
Day zero is when something terrible happens.
See paragraph one.
When the majority are in error, do not succumb to peer pressure.
Interesting quote by an early Microsoft guy, heard today: [A falsehood] is half-way around the world before the truth has put on its pants. I will add, because people lay out the welcome mat for it.
In the book Zero Day by Mark Russinovich, whom I respect (mainly because of his sensible software, now via Microsoft) it sounds like he portrays coordinated software attacks as a sort of 'doomsday'.
While many zero day threats are small, this flavor/meaning of the term zero-day is the one that makes sense to me, like a ticking time bomb counting down, to zero day, when it triggers, to do its damage, versus just spreading/establishing itself prior to zero day.