Zero-Day

A zero-day (also written 0-day) is a software vulnerability that the vendor does not yet know about and has not patched. The “zero” refers to the days the vendor has had to develop a fix. The category includes both the vulnerability itself and the exploit that weaponizes it. Traded in legal markets (bug-bounty programs paying $5,000 to $2.5M for high-impact disclosures) and in gray-and-black markets (Zerodium and similar offering up to $2.5M for iOS or Android zero-clicks; nation-state customers paying more for capability). The structural primitive of advanced cyber operations.

What it means in practice

The zero-day market shapes the modern threat landscape. Nation-state services maintain stockpiles of zero-day capability for use against high-priority targets; commercial spyware vendors (NSO Group Pegasus, Intellexa Predator, the broader mercenary-spyware ecosystem) operate on a zero-day-driven business model, requiring continuous capability replenishment as patches close prior exploits. The 2023 Operation Triangulation iOS implants chained four zero-days. The 2024-26 environment includes ongoing chains discovered by Citizen Lab, Amnesty Security Lab, and Apple’s own Security Engineering and Architecture team, with the public disclosure cycle of “this exploit was used against this target population” running every few months. The defensive implications for ordinary users: most zero-day capability is reserved for high-value targets, the patch cycle catches most exploits before they reach the broader user base, and the general defense (current OS, current apps, hardware-key 2FA, reduced attack surface) addresses the bulk threat tier.

Where it shows up

Most consequential against: high-target operators in mercenary-spyware-targeting brackets (journalists on intelligence-services and organized-crime beats, lawyers representing dissidents, activists who have drawn government attention, exiled-opposition political figures), enterprise environments where targeted zero-day delivery via spear-phishing is the documented initial-access vector for sophisticated breach campaigns, and (less frequently) the broader user base when a zero-day chain is weaponized for mass deployment by ransomware operators or financial-crime crews. The defenses for the high-target population: Lockdown Mode on iOS, GrapheneOS on Pixel, Citizen Lab consultation for forensic scans, the broader operational discipline that reduces the attack surface and contains the blast radius of a successful exploit. For ordinary users: the patch-cycle hygiene (update promptly when patches release) addresses most of the risk, with zero-day-against-you scenarios rare enough that the marginal hardening cost above the baseline is not justified for most threat models.

What you can change today

Three layers depending on threat model. Layer 1 (everyone): keep the OS and apps current; install security updates within 48 hours of release; do not skip iOS updates that include security fixes; on Android, choose devices that receive timely security patches (Pixel for the cleanest update cadence). Layer 2 (privacy-conscious): enable Lockdown Mode on iOS for high-target sessions, audit the Always-permission and special-permission grants on Android, prefer apps from official sources and verified open-source repositories. Layer 3 (high-target): GrapheneOS for the strongest non-iOS option, Lockdown Mode persistently on iOS, Citizen Lab consultation if you suspect targeting, and the broader operational discipline (separate device for sensitive work, reduced app surface, regular re-imaging of the device); the cost is significant, the benefit applies to the small population whose work justifies it.

Related articles