A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.
Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contains bugs. Many of these impair the security of the system and are thus vulnerabilities. Although the basis of only a minority of cyberattacks, zero-days are considered more dangerous than known vulnerabilities because there are fewer countermeasures possible.
States are the primary users of zero-day vulnerabilities, not only because of the high cost of finding or buying them, but also the significant cost of writing the attack software. Many vulnerabilities are discovered by hackers or security researchers, who may disclose them to the vendor (often in exchange for a bug bounty) or sell them to states or criminal groups. The use of zero-days increased after many popular software companies began to encrypt messages and data, meaning that the unencrypted data could only be obtained by hacking into the software before it was encrypted.