A zero-day (or 0-day) is a software vulnerability unknown to the vendor, with no patch available. The name: developers have had zero days to fix it.
Zero-days are highly valuable. State agencies and criminal organizations pay millions for reliable zero-days in widely used software. They are the primary mechanism behind tools like Pegasus.
Defensive mitigation: keep software updated (minimize the window when discovered vulnerabilities remain unpatched), use devices with strong sandboxing, and do not assume absence of known vulnerabilities means total security.
What it means in practice
Zero-days are used by state-level threat actors against high-value targets — diplomats, senior journalists, opposition figures. They are expensive to acquire and deploy, which means most people are not targets. For those who are, consumer security measures are inadequate and the realistic response includes periodic device replacement, keeping OS and apps fully updated, and professional security review. Pegasus is a documented example of zero-day exploitation at scale against civil society.
Related articles
Digital security for diplomats and expats in high-risk countries. — Your device was seized. Here’s what they can extract.