My Last Pitch for Defining

Alan Shimel is reviving the zero day debate and coins a term "less than zero day" for vulnerabilities that are unknown from the public at large. Check out his series starting here, then here, and finally here. Rothman mostly agrees here, but (like me) isn't enamored of the name.

As I stated in my initial support for Alan's position I think he's mostly nailed it. There is a distinct difference between an unknown vulnerability, an unknown vulnerability for which there's an active exploit, a new vulnerability that's not patched (what most people call a 0 day), and regular old vulnerabilities.

The difference being that I define the first case (a non-public vulnerability) as the real meaning of a zero day. Why? Because the vulnerability is discovered (day 0), but not propagated. This is Shimel's "less than zero day".

I don't want to get caught up in any definition battles; especially when I'm fighting the marketing arms of every security vendor out there who claims they stop a 0 day. I'm willing to fight the noble fight, but let some other idiot go down with the ship.

Since the vulnerability is known, by however small a group, it's a 0 day. If exploited, it's a 0 day exploit. When it's public knowledge, but not patched, it's just an unpatched vulnerability, not a 0 day.

If we use this terminology we can get past everyone claiming 0 day protection when they just block an unpatched vulnerability. Zero day can regain its mythical splendor as the representation of evil, unknown vulnerabilities that will cause planes to crash and erase the history of all financial records. Or screw up your browser, whichever you consider worse.

There's my last pitch.

(In case I lose and we keep calling unpatched vulnerabilities 0 days, I propose "T- " instead of less than zero day.)

—Rich