Zero-Day Vulnerability
A zero-day vulnerability is an unpatched vulnerability that exists before it is recognized by the software developer or security community, referring to a state in which virtually no defensive measures exist until a patch is provided.
What "Zero Days to Fix" Means
A vulnerability that is exploited while the number of days between its discovery and the availability of a patch is "zero"—meaning no fix yet exists—is called a zero-day vulnerability. In a standard security response cycle, the process flows as follows: "a CVE is disclosed → a patch is distributed → users apply it." With a zero-day, however, not even the first step of this cycle has begun. For defenders, it is essentially being told to dodge a bullet whose existence they don't even know about.
The Economics of Discovery and Exploitation
Zero-day vulnerabilities exist within a unique marketplace. Nation-state actors and cybercriminal groups may pay hundreds of thousands to millions of dollars for undisclosed vulnerability information. By contrast, the reward for responsibly reporting such a vulnerability to the defensive side through a bug bounty program is often only a fraction of that amount. This economic asymmetry is the structural reason why zero-days tend to flow toward black markets.
Many of the web application vulnerability categories organized by OWASP follow well-known patterns, but zero-days sometimes fall into categories that have yet to be defined. As illustrated by the remote crash bug that lay dormant in OpenBSD for 27 years, the longer a vulnerability goes undiscovered, the broader its potential impact—and the more it can serve as a launchpad for supply chain attacks.
How AI Is Reshaping the Zero-Day Battlefield
The fact that Claude Mythos discovered thousands of zero-days in Project Glasswing demonstrates that AI is fundamentally transforming the speed and scale of vulnerability discovery. Traditionally, the primary means of discovery were fuzzing, static analysis tools, and human penetration testers—methods that faced inherent limitations in coverage due to constraints of time and cost.
If large-scale AI-driven scanning is deployed by defenders first, there is a possibility that vulnerabilities can be patched before they are ever exploited as zero-days. Conversely, if attackers gain access to equivalent AI capabilities, the mass production of zero-days could become a reality. Efforts to quantitatively measure a model's offensive capabilities through benchmarks such as CyberGym serve to visualize where we currently stand in this "AI arms race."
