Zero-Day

Definition

A zero-day is a software vulnerability that is unknown to the software vendor — there have been “zero days” during which the vendor could have patched it. Until the vendor learns of the flaw and releases a fix, anyone who knows about it can exploit it silently and with no available defense.

Zero-days are the most powerful and dangerous class of cyberweapon because:

• No defense: The patch doesn’t exist yet; the victim cannot protect themselves
• No attribution: Digital attacks are difficult to trace; zero-day exploitation leaves few forensic signatures
• Persistence: Vulnerabilities in widely-used software (Windows, iOS, industrial control systems) can remain undetected for years or even decades
• Transferability: The same zero-day can be weaponised in multiple ways by multiple actors

The Market

Zero-days are bought and sold in a largely unregulated, opaque global market:

Buyers: Intelligence agencies (NSA, CIA, GCHQ, Mossad, FSB, PLA), law enforcement (FBI), defence contractors, criminal organisations, authoritarian governments seeking surveillance tools.

Sellers: Independent security researchers, exploit brokers (Zerodium, Crowdferi), defence contractors.

Prices: Vary by target and capability. As of 2021:

• iOS full-chain remote jailbreak: $2.5M+
• Android full-chain: $2M+
• WhatsApp zero-click: $1.5M+
• Windows local privilege escalation: $40–100K+

The key market failure: Sellers can sell the same zero-day to multiple buyers without the buyer’s knowledge. There is no exclusivity guarantee. A nation-state may pay $1M for a “unique” capability and discover that their adversary has the same exploit.

The Stockpile vs. Patch Decision

When a government acquires a zero-day, it faces a choice:

1. Report to vendor: Vendor patches the vulnerability; the capability is destroyed, but millions of users (including the government’s own citizens and infrastructure) become more secure
2. Stockpile: Retain the capability for offensive use; millions of users remain vulnerable; the vulnerability may eventually be independently discovered by adversaries

The US government’s Vulnerability Equities Process (VEP) is supposed to weigh these equities. In practice, intelligence agency interests dominate and the systematic choice has been to stockpile.

The EternalBlue case: The NSA stockpiled a critical Windows vulnerability for years. When Shadow Brokers leaked it in 2017, North Korea used it for WannaCry (~$8Bdamage)andRussianGRUuseditforNotPetya($10B damage) — the most costly cyberattacks in history. The NSA had knowingly left this vulnerability in millions of American systems for years.

Zero-Days as a Prisoner’s Dilemma

The global zero-day regime is a multi-party prisoners-dilemma: each nation is individually better off stockpiling zero-days than reporting them, but collective stockpiling produces a world where everyone’s infrastructure is full of known-but-unpatched vulnerabilities. Unlike conventional arms races, this one has no verification mechanism — you cannot count zero-days the way you can count warheads.

The outcome: a world where critical infrastructure (power grids, hospitals, financial systems) runs on software with known vulnerabilities held by multiple hostile actors — a collective action problem with no current solution.

Connections

prisoners-dilemma

The stockpile-vs-patch decision is a prisoner’s dilemma at the national level. Every nation reporting zero-days would make everyone safer (mutual cooperation). Every nation stockpiling exploits is individually rational but collectively catastrophic.

lollapalooza-effect

WannaCry and NotPetya are lollapalooza events: NSA stockpiling + Shadow Brokers leak + slow patching + adversary weaponisation = outcomes far worse than any single factor. The compounding of independent decisions and decisions made by multiple actors produced catastrophic cascades.

wysiati

The decision to stockpile rather than patch reflects a systematic WYSIATI failure: decision-makers could see the intelligence value clearly; the diffuse, probabilistic future harm of unpatched infrastructure was invisible to them. The 2017 consequences were what they couldn’t see.

extractive-institutions

The VEP is a captured process: intelligence agencies make decisions about a public good (software security for millions of citizens) in private, for their own benefit, with no public advocate. The structure is extractive — concentrated private benefit (intelligence capability) at the expense of diffuse public cost (insecure infrastructure).

large-language-models

AI is transforming zero-day economics. Automated vulnerability discovery (fuzzing + AI) dramatically reduces the cost of finding zero-days. AI-assisted exploit generation is becoming possible. The current arms race dynamics are about to become significantly more dangerous.

creative-destruction

AI-enabled vulnerability discovery is a wave of creative destruction in the security domain: old defensive postures built around patching known CVEs will be disrupted by AI that finds zero-days faster than humans can patch them. The question is whether defensive AI can keep pace with offensive AI.

See Also

• source—this-is-how-they-tell-me-the-world-ends
• prisoners-dilemma
• lollapalooza-effect
• wysiati
• large-language-models
• extractive-institutions