Talk:Zero-day vulnerability

Page title
Shouldn't it be called Zero-day malware. In my opinion virus is too specific. — Preceding unsigned comment added by Alejo123 (talk • contribs) 01:29, 4 April 2011 (UTC)


 * I thought that it was "zero day." A part of the computer. — Preceding unsigned comment added by 24.187.145.47 (talk) 12:12, 12 July 2011 (UTC)


 * "0day" originally referred to exploits targeting vulnerabilities that are unknown to a vendor. When the exploit is used, the author originates the start of this unique attack activity, at "Day Zero" (everything starts at "0", not "1", in the world of computing). So, a true "0day worm" like Slammer spread via an 0day attacking CVE-2002-0649 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0649), which was unknown to Microsoft at the time. In more recent terms, Stuxnet was an 0day worm. It is very unusual to find true 0day malware - worms, client side remotes, whatever. The current "zero day virus" description on wikipedia follows the lame marketing department lingo at startups looking to take market share from AV vendors, who don't understand the original term, but want a catchy/flashy term to describe new variants of malware, which are commonplace. This lingo is also commonly used as an attempt to suggest that AV scanners detect fewer malware than they really do. Wikiksec (talk) 00:41, 16 February 2012 (UTC)


 * On the one hand, I agree that Zero-day malware is a better name for this article than Zero-day virus. On the other hand, I agree with Wikiksec's comments - the article may well not be encyclopedic.  Time for an AFD? --Elvey (talk) 03:15, 28 April 2012 (UTC)

virus as a section of zero-day
Hey guys, can you guys add your views about merging the three WP zero-day articles attack, virus (and/or also malware) and warez into one at: Talk:Zero_day. Thank you :)
 * Done,

footnote 11 leads to "page not found" for InfoWorld article on SONAR by Symantec — Preceding unsigned comment added by 12.157.110.195 (talk) 18:11, 7 June 2016 (UTC)

Warez
Warez doesn't really belong here IMO Deku-shrub (talk) 19:42, 17 May 2015 (UTC)

I agree and will wait a week or so for differing opinions DGerman (talk) 01:14, 10 July 2015 (UTC)

The usage of the term zero-day began with the warez scene, so why would the mention of warez not belong here?

Agree, zero day started in the 'cracking' scene (warez). If mentioned it should be in a history of the meaning section. --Jericho347 (talk) 01:40, 20 August 2022 (UTC)

"Undisclosed" ?
The lead sentence currently says that a zero-day vulnerability is one that is "undisclosed". Later in the article it's pretty clear that the vulnerability may be disclosed and still be considered a zero-day -- it just isn't fixed yet.

I suggest this should either be removed or modified to say "possibly undisclosed" or "disclosed or undisclosed", but I thought I'd discuss before going bold on it.--NapoliRoma (talk) 17:56, 9 November 2015 (UTC)
 * This page is a bit of a Frankenstein currently. In which section has the second reference you're referring to? I can't find it. Deku-shrub (talk) 20:03, 9 November 2015 (UTC)
 * More than anything I was referring to later in the lead paragraph, where it mentions that zero-day vulnerabilities may be exploited on the day that notice is released (which would mean that at that point, they are disclosed).
 * But on reflection, I think the "undisclosed vulnerability" description is accurate. I would now be more inclined to leave it as-is.--NapoliRoma (talk) 03:27, 10 November 2015 (UTC)

Zero day is just a "street slang" term; the article should be short and link readers to where they should really go.
the term "zero-day" is used because it sounds "cool", and it doesn't have much other meaning. Just like stoners think you sound like a guidance counselor if you say marijuana, leet haxorz think you sound like a PHB if you don't say zero-day, but otherwise it's just a newly discovered bug (or previously discovered and kept under wraps) that is exploitable. What's the difference between a virus and a zero day virus? nothing except "is there a patch available for it?" So, this article should restrict itself to that, and keep the rest of the discussion about viruses vs worms etc. in the "real" articles. We don't have separate articles for "dime bag", "roofie", etc. where all the other info about the drugs is recapitulated, and nor we should recapitulate exploit info that belongs elsewhere in the zero-day article. The distinctions that are interesting are, zero day vuln vs zero day exploit, and whether bugs are are fixed in new releases, or if vulns or sploits have been predicted (based on the beta, specs or previous versions) and do exist on day zero of a new launch. 74.73.179.172 (talk) 18:27, 19 January 2016 (UTC)


 * My understanding of the term zero day has always been that it is an exploit that is being exploited by hackers "in the wild" for which there is not yet any published fix or mitigation. Hence you have zero days to get the patch out or whatever. If there has been no zero day attack then it's not a zero day vulnerability! BrianDGregory (talk) 22:57, 4 August 2020 (UTC)

Double Zero-Day?
When searching for Zero-Day exploit info the term Double Zero-Day comes up frequently and would be nice to be defined here as it seems related somehow. I could not find a definition and it may well just be something that the script kiddies uses trying to look cool. But it would stille be nice to have it layed out here. User:L00KnS33

I have not seen this term used anywhere. If you or anyone can come up with some citations it would be easier to evaluate it. I suspect you are right, just a random term to sound cool. --Jericho347 (talk) 01:40, 20 August 2022 (UTC)


 * The only real references I can find related to "double zero-day" all seem to be stories about two zero-day vulnerabilities cropping up at once. So I suspect that's all it is, a way of talking about (double) (zero-day {vulnerabilities|exploits|announcements}), not (double zero-day) ({vulnerabilities|exploits|announcements}). FeRDNYC (talk) 01:51, 4 April 2024 (UTC)

Name origins
This section is incoherent and unreferenced. It talks about 2 origins and then doesn't say what they are. Also unreferenced sections are usually removed. 69.86.6.150 (talk) 21:06, 6 May 2016 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 1 one external link on Zero-day (computing). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20091027041339/http://geocities.com/skrzydla/ to http://en.wikipedia.org/wiki/Wikipedia:Footnotes

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at ).

Cheers.— InternetArchiveBot  (Report bug) 17:37, 16 July 2016 (UTC)


 * This is some glitch in the bot, I guess. Debresser (talk) 18:48, 16 July 2016 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 4 one external links on Zero-day (computing). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive http://web.archive.org/web/20081222035950/http://www.computerworld.com:80/action/article.do?command=viewArticleBasic&articleId=9005117 to http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005117
 * Added tag to http://www.avinti.com/download/case_studies/whitepaper_email_residual_risk.pdf
 * Added archive http://web.archive.org/web/20090402192651/http://www.infoworld.com:80/article/07/01/17/HNsymantecsonar_1.html to http://www.infoworld.com/article/07/01/17/HNsymantecsonar_1.html
 * Added archive http://web.archive.org/web/20120803213309/http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html to http://securitywatch.eweek.com/virus_and_spyware/antivirus_is_dead_dead_dead.html
 * Added archive http://web.archive.org/web/20090324082620/http://www.infoworld.com:80/article/07/02/15/HNzerodayinword_1.html to http://www.infoworld.com/article/07/02/15/HNzerodayinword_1.html

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at ).

Cheers.— InternetArchiveBot  (Report bug) 11:17, 21 July 2016 (UTC)

Removed advertising-like sentence
Hey,

By reading this article a sentence related to Symantec antivirus seemed more like advertising than objective knowledge to me. I deleted it, feel free to restore it if you feed like it was not but in this case justify yourself here please.

(talk)

0~Day
Zero-Day 41.47.143.81 (talk) 01:44, 10 August 2022 (UTC)

Requested move 26 August 2022

 * The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review after discussing it on the closer's talk page. No further edits should be made to this discussion. 

The result of the move request was: no consensus. (closed by non-admin page mover) Extraordinary Writ (talk) 17:20, 10 September 2022 (UTC)

Zero-day (computing) → Zero-day – This article is the primary topic, between all the options on the Zero day disambiguation page. That page should be moved to Zero day (disambiguation) and Zero day should become a redirect to Zero-day. PhotographyEdits (talk) 12:27, 26 August 2022 (UTC) — Relisting. – robertsky (talk) 16:24, 2 September 2022 (UTC)


 * My first thought would be that zero-day exploit is the better title. The article deals more with exploiting of the vulnerabilities, than the concept of the vulnerability itself. -- Netoholic @ 13:15, 26 August 2022 (UTC)
 * Oppose. No primary topic here. -- Necrothesp (talk) 12:33, 31 August 2022 (UTC)


 * Neutral/Support. This Zero day page is the most popular page on the Zero day disambiguation page (by pageviews in the last 30 days). It has a wikitionary definition as well with alternative spellings like "zero day", so a redirect would be appropriate and I do support moving Zero day to Zero day (disambiguation). I do not support removing (computing) from the title because I believe Google's infobox uses that information for clearer presentation and classification.
 * Gett Numbers (talk) 03:28, 1 September 2022 (UTC)
 * The (computing) suffix does not matter for Google. Even without that suffix, Google can infer that the article is about computing using other means PhotographyEdits (talk) 12:19, 6 September 2022 (UTC)
 * Note: WikiProject Computing has been notified of this discussion. – robertsky (talk) 16:24, 2 September 2022 (UTC)
 * Note: WikiProject Computer Security has been notified of this discussion. – robertsky (talk) 16:24, 2 September 2022 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
 * Oppose - No clear primary topic here. Zero-day (computing) pageviews are not greater than the others combined. ~Kvng (talk) 15:07, 5 September 2022 (UTC)

Requested move 1 April 2024

 * The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review after discussing it on the closer's talk page. No further edits should be made to this discussion.

The result of the move request was: moved. Per consensus – robertsky (talk) 10:23, 10 April 2024 (UTC)

Zero-day (computing) → Zero-day vulnerability – If there is no consensus to make this the primary topic, at least we should use a natural disambiguation that is more precise about what the topic of the article is—undisclosed or unpatched vulnerabilities that may be used in exploits. Buidhe paid (talk) 19:57, 1 April 2024 (UTC)


 * Support — "zero-day" as a noun is merely a shorthand, when used that way it's always short for something like "zero-day vulnerability", "zero-day exploit", or "zero-day patch". (Which one depends on context.) This article, specifically, is about zero-day vulnerabilities. FeRDNYC (talk) 01:38, 4 April 2024 (UTC)
 * Support per FeRDNYC. Just using "Zero-day" as a title sounds weird to me. Arnav Bhate (talk) 13:03, 4 April 2024 (UTC)


 * Support My instinct is to support this concept being WP:PRIMARYTOPIC and moved to simply Zero-day, because that is how I know the term and it seems to be the only use of the term in the disambiguation page. I checked Oxford English dictionary and it says that "zero day" is a military invasion term in use from the 1910s and attested in publication in 1917. Wikipedia has no military zero-day articles, but has Zero Hour military articles. I am not sure that "zero-day" is still a military term outside of computing. This article is top 1% popularity by pageviews and more popular than all the other zero day articles put together, so I support it not having parenthetical disambiguation. "Zero-day vulnerability" is certainly the clearer option. "Zero-day attack" seems like an option too supported by some sources. I could support simply "zero-day" too.  Bluerasberry   (talk)  17:50, 8 April 2024 (UTC)
 * The only difference between a zero-day attack and other cyberattacks is that the former takes advantage of a zero-day vulnerability. That is why my instinct is that the main topic is the vulnerability. Buidhe paid (talk) 21:45, 8 April 2024 (UTC)
 * Support as nominated. A hyphenated "Zero-day" implies an adjective describing a follow-on noun, which is not present, so I think leaving Zero-day as a redirect is best.  Not necessarily opposed to changing the redirect target to this page instead of the dab since all entries on the dab page are un-hyphenated, but that can be handled outside this RM on the Talk page or at RfD. -2pou (talk) 23:01, 8 April 2024 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Undone changes 4th may 2023 / Attack vectors
Why?

"Unrelated to topic" seems to be a weak excuse. 0-Days can be funneld into your system via add-banners, it should be mentioned as a possible attack vector.

Also;

Physical access is the worst case, as any known and unfixed, unknown or made up instance of a 0-day (wich is unknown, thus 0-days-to-fix) may end up in an active vulnerabillity of the end customer.

Reguarding my typing:

Non-Native-English. Brew this one as however you like. 2003:C7:1F2D:9898:FCBE:F250:9EFE:6C4D (talk) 17:07, 4 May 2023 (UTC)
 * Zero-day attacks rely on software vulnerabilities (bugs etc). It has nothing to do with physical access to the computer. Ad banners normally come from web pages accessed via a network connection. Again, nothing to do with physical access. CodeTalker (talk) 17:27, 4 May 2023 (UTC)
 * My original statement mentioned that even thrusted webpages may have includet web-banners, wich may, on purpose or not, contain mallicious code containing 0-days, wich again may or may not be included by maliccious means. THIS part is entirely disconnected from Physical access.
 * Physical access is the wet dream for any user and any hacker. Twist and turn and solder and readout however you want. Physical access is a privacy-danger in and of itselfe and can not be mentioned often enough, in my opinion. Also; 0-Days that wont work via TCP/IP may very well work with an USB-Stick inside your physical Plug&Play device.2003:C7:1F2D:9898:FCBE:F250:9EFE:6C4D (talk) 17:39, 4 May 2023 (UTC)

Definition of a zero-day vulnerability
The current definition in the page: "A zero-day (also known as a 0-day) is a vulnerability in a computer system that was previously unknown to its developers or anyone capable of mitigating it." does miss some of the key points that (at least I) think are relevant for the term. First, it does not address if the vulnerability is publicly known or not. This would suggest that any vulnerability, at any time of software development, would be a zero-day. Furthermore it does not state that the vulnerability is exploitable, leaving it open if the vulnerability is actually deployed ever. So according to the definition, any development-time SW bugs with security aspects are zero days. Thinking in these terms, it would actually be hard to find a software vulnerability that was not a zero day: any vulnerability, at some point in time, is not known by any developer. What comes to exploitability, I would not state it is a requirement for a 0-day. Note that exploitability is a trait that may change in time, e.g. with new implementations themselves being secure may expose the vuln. Then, the notion that it is not known by any developer; how can you ever know if this is the case? There could very well be people that know there is a problem but did not have the time or means to fix it. Quickly googling the internet, I find a better definition in "https://www.trendmicro.com/vinfo/us/security/definition/zero-day-vulnerability": "A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched." I think that definition escapes many of the problems we have in this wiki definition today. Sure it can be polished, e.g. by stating "...for which there is no patch available yet" instead of possible misunderstanding that a non-patched system would have 0-days, just because an appropriate patch is not applied yet. To me, this discussion of the real and proper definition of a 0-day is important. The term is used often when talking about the security of software systems, and with various meanings. For example, if your strategy to mitigate 0-day (risks) would be to have the latest patches in the system, you would have totally missed the point. In the field of security we should use concise text to disseminate the real(istic) problems and risks, and to have matching mitigations for the risks assessed. 84.249.75.64 (talk) 11:19, 27 October 2023 (UTC)


 * I'll largely copy my second bullet point from the discussion below, for my thoughts on the definition question.
 * I'm not sure is really a useful definition from the end-user perspective. A zero-day vulnerability doesn't stop being a zero-day vulnerability when the vendor learns of it, nor when they release a patch.
 * This article by Paul Ducklin really cuts to the heart of it: zero-days, by definition, are bugs that the Bad Guys found first, so that there were zero days on which you could have patched proactively. What matters is not if the vendor knows about the vulnerability or has patched it. The important thing is when they knew about and patched it. Zero-day vulnerabilities are ones which the vendor was made aware of, and (hopefully!) for which they eventually release a patch, only after users' systems had already been exposed to possible attack. FeRDNYC (talk) 16:02, 6 April 2024 (UTC)

Edit request
Please replace the content of this page with User:Buidhe paid/zeroday.

To fix the issue in the tag—unsourced text—as well as outdated sources, I've rewritten according to reliable sources. I also expanded the article with more information about the zero-day market, how the danger of exploits changes over the window of vulnerability. I replaced the US government section with a history section to be less US-centric, and added two public domain charts to illustrate the article. Buidhe paid (talk) 07:12, 5 April 2024 (UTC)


 * There are some definite improvements in that version of the article. However, I feel there are some issues with it that should be addressed before it's adopted:
 * Extraordinary claims like "States are the primary users of zero-day vulnerabilities" really need to be cited, the fact that this statement is made in an entirely citation-free lead section is troubling.
 * With respect to the cited sources (primarily the Rand Corp. authors), I'm not sure is really a useful definition from the end-user perspective — nor does the timeline graphic in the proposed version of the article really bear that definition out. A zero-day vulnerability doesn't stop being a zero-day vulnerability when the vendor learns of it, nor when they release a patch.  This article by Paul Ducklin really cuts to the heart of it:  That definition jibes with the timeline chart. What matters is not if the vendor knows about the vulnerability or has patched it. The important thing is when they knew about and patched it. Zero-day vulnerabilities are ones which the vendor was made aware of, and for which they released a patch, only after users' systems had already been exposed to possible attack.
 * Speaking of the charts — while I have no trouble accepting that Threshold of originality says that those images are freely available for our use, since they're PNG images of primarily-textual data they're still not ideal for inclusion.
 * The timeline chart would be far better re-created in, so that its information is accessible to more readers.
 * The pricing chart could also benefit from a vector re-creation, at a minimum, but that's kind of a secondary issue. I'm not convinced it belongs in this article at all. (Because...)
 * I kind of feel like the whole "Market" section is excessively detailed, and given WP:UNDUE prominence — especially since there's an entire Market for zero-day exploits article. That means that most of the information should live there instead; what appears in this article should be focused on how it relates to zero-day vulnerabilities. Anything that's more about the market itself (characteristics of the buyers and sellers, for example) should be in the other article instead.
 * FeRDNYC (talk) 15:53, 6 April 2024 (UTC)


 * Hi, thanks for restonding.
 * First of all the lead is not cited because all the information is cited in the body. See WP:CITELEAD.
 * Second, while neither of the graphics are perfect, I think they are better than no having them. Improvements to the graphics can occur at a later date.
 * If the software is not released (or the bug is discovered by a vendor?) it does not have the same security risk and therefore may not be called a vulnerability. Zero day vulnerabilities are a subset of vulnerabilities and there are two main definitions found in published sources:
 * Based on patch status:
 * "A zero-day vulnerability is one for which no patch has been developed" Defender's Dilemma  p. xvi
 * "a vulnerability in the software that has never been made public and for which there is no known fix." (O'Harrow)
 * " a zero-day is a software or hardware flaw for which there is no existing patch " (Perlroth)
 * "Zero-day vulnerabilities are vulnerabilities for which no patch or fix has been publicly released" (Ablon & Bogart 2017)
 * Based on knowledge status:
 * Zero-day vulnerabilities are "ones that are not publicly known" Sood & Enbody p.40 or "unknown to vendors and the general public" (116)
 * A zero-day vulnerability is "a security vulnerability that is not known to the software vendor or the wider security community." (Dellago, Simpson & Woods 2022)
 * Only one or two of the sources cited in the article suggest that the vulnerability must be discovered by someone other than the vendor to qualify.
 * The market section is prominent because that is an aspect dealt with at length in most of the sources, so I don't think it is UNDUE. In my view, it would make more sense to expand other parts of the article given that it is overall not long. Buidhe paid (talk) 19:41, 6 April 2024 (UTC)
 * Apologies for not responding sooner, I lost track of this until fortuitously bumped it a month ago. Responding to a couple of specific things:
 * I'm very familiar with WP:CITELEAD — have you read it? And as I said, a claim as extraordinary as  warrants a citation wherever it appears. (I also was not able, on quick examination, to find that information cited or even presented anywhere in the article body, although it's very possible that I missed it. — If I did, and there had been a citation for that claim in the lead, locating the corresponding use of the same cite in the body would be a helpful way to connect those dots.) The closest thing to a corroboration I could find was the claim, in the markets section, that gray-hat purchasers (mostly state entities) represent the largest market for zero-day vulnerabilities. But if that's what the lead is meant to be summarizing, changing it from "the largest market for purchasing zero-day vulnerabilities" to "the primary users of zero-day vulnerabilities" makes it a very different claim.
 * But sources don't dictate the content of a Wikipedia article, its editors do. You're working primarily from book sources. (Plus at least one journal article, Dellago et al., that's entirely about the exploits market, so that's certainly going to focus heavily on it.) Of course any book about cybersecurity is going to cover the market for trading vulnerabilities, and likely at considerable length. They'd be doing their readers a disservice not to. But this article is about one specific topic those books cover (out of dozens, no doubt), and as a topic article it should be as focused as possible on that topic. We (using the royal "we") clearly agree that the market for vulnerabilities is an important topic. So important, in fact, that there's a whole separate article about that topic. Which is why that article is the  article about that other topic. While there will always be some overlap, covering the same ground at length in multiple articles risks both redundancy and contradiction. Discussing the market as it pertains to vulnerabilities themselves has relevance to an article on vulnerabilities. But anything even somewhat tangential is better left to the dedicated article on the topic. An example what I feel is largely tangential:  Aside from the last two sentences of the first paragraph, and maybe a couple of the middle sentences about the usability of purchased vulnerabilities from the second paragraph, most of that is mainly or entirely about the market and the entities trading on it, not about the vulnerabilities themselves, which I still maintain makes it off-topic.
 * Also, something I hadn't noticed originally, but speaking of sources — on this one:
 * The subtitle of the book is not "Winner of the FT & McKinsey Business Book of the Year Award 2021". (How would that even work?!) The correct title+subtitle, as can be seen at its Amazon page, is This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.
 * FeRDNYC (talk) 23:17, 6 July 2024 (UTC)
 * FeRDNYC (talk) 23:17, 6 July 2024 (UTC)

The edits made by Buidhe paid (talk | contribs) at 02:03, 4 June 2024, contain many poor choices in wording that introduce confusion and errors. There are two definitions for 'zero day' really, and using the term in the context of any vuln not known to the vendor means that a significant portion of vulns are zero days at some point in their lifecycle (any not discovered by the vendor). That dilutes the other meaning, used in many circles where a zero day is one that is not known to the vendor at time of exploitation. In your talk above, even asking the question "or the bug is discovered by the vendor?" in the context of being called a vulnerability is completely wrong. Fundamentally, a vulnerability is a flaw that allows crossing of privilege boundaries. Clearly defining both definitions is essential for this page. Why? Because saying "States are the primary users of zero-day vulnerabilities" is absolutely false, as a majority of computer criminals are not nation state actors, yet use zero day vulnerabilities (by either definition). While nation state TAs tend to get more press, by volume, they represent a much smaller group than the larger computer criminal category. Saying things like "the significant cost of writing the attack software" is also wrong, in the aggregate, because if you factor in every "zero day" XSS, writing the exploit takes seconds typically. You simply cannot make these blanket statements without a lot more clarification and qualification. I recommend all of the prior changes be reverted in favor of adding smaller bits at a time, so there are easier reverts or edits to improve the quality of this article. Overall, I feel that the quality of this page went down. Additionally, unrelated to the last edit, the section on RAND needs to include citations of those who call into question some of their findings. That paper has flaws. Jericho347 (talk) 03:41, 4 June 2024 (UTC)


 * My definition of zero-day closely follows that found in the scholarly sources that I cited. There may be other definitions, however, I believe that if found in sources of equivalent quality, they should be added rather than deleting the existing definitions provided, which are in widespread use in RS. While I would agree that the term "zero day" is usually used when the vulnerability is exploited prior to discovery, unless that stipulation is found in reliable sources we cannot use original research to add it ourselves.
 * As for definitions of vulnerability, the one I was able to find in several sources is that it is a bug that weakens the system security. It may be that some sources define it as crossing a privilege boundary, and if so, that definition could be mentioned in the article.
 * The other statements that you identified as inaccurate simply reflect what it says in the cited source. In order to remove this information, we would need to find other sources that contradict these statements or establish that the sources I cited are not reliable.
 * I do think the article can be improved with more sources and I welcome any specific suggestions of sources to add. However, citing one source doesn't automatically mean that we must also cite other sources that disagree; depending on the circumstance this could violate WP:Reliable sources, WP:Neutral point of view, and WP:Fringe guidelines.
 * Reverting my edit should not be done because the previous version is so poorly sourced that most of it would be subject to deletion under the verifiability policy. Buidhe paid (talk) 03:53, 4 June 2024 (UTC)
 * That's a strange claim. Other than for Biographies of Living Persons, there is no deletion mandate attached to WP:V. In fact, quite the opposite: Information isn't deleted from Wikipedia for being unsourced. Information is deleted for being wrong and/or unsource-able. (Or for involving WP:BLP, because nobody likes to get sued for libel or defamation.) Otherwise, the information simply needs to be cited. FeRDNYC (talk) 23:30, 6 July 2024 (UTC)
 * I think that text has lagged behind common practice. If there is no source, an editor or reader has no way of knowing if it's sourceable or not. If I don't know if it's sourceable, I can challenge it in good faith by removing the content and it should not be restored unless someone can find a source, thus proving that it is verifiable. Buidhe paid (talk) 01:33, 7 July 2024 (UTC)

At the very least, would you please consider reverting it, then doing one edit per section for easier discussion and further editing? re: Citations.. by only citing one flawed study, and not citing industry pushback, that too is not neutral. To me, WP:Neutral point of view means showing two sides of a point if there is a difference of opinion and valid citations for both. re: Your definition, cited or not, of "a bug that weakens the system security", then are default admin credentials a vulnerability or not? Because they aren't a bug to many vendors, yet it clearly allows full admin access to the system if they aren't changed. That leads down the rabbit hole of "does the vendor document them? does the vendor say to change them? does the vendor force you to change them during install?" and you get shades of whatever. InfoSec has a parroting problem, and there are cases where one hundred citations can be provided to back a choice of wording, but it doesn't mean they are correct either. Jericho347 (talk) 04:21, 4 June 2024 (UTC)


 * Let's see the sources. Which ones specifically criticize the Rand paper? Buidhe paid (talk) 04:52, 4 June 2024 (UTC)

https://blog.hboeck.de/archives/882-Zero-Days-and-Cargo-Cult-Science.html Being the first that comes to mind, not sure how that got missed. Hanno is well-respected in the industry. I cite his blog as prior work in my criticism of the paper as well (https://jericho.blog/2017/07/24/analysis-of-the-random-report-on-zero-days-and-vulnerability-rediscovery/) and further cite a different paper (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2928758) that comes to very different conclusions than RAND. It is critical to note that RAND's paper is based on a dataset that they do not publish, so there was no direct peer review. Any review had to be on a different dataset generated to try to mimic theirs. Out of curiosity, I know you are paid to edit Wikipedia articles, but are you working in this world day to day? Jericho347 (talk) 04:20, 1 July 2024 (UTC)


 * To be honest the reason I never came across these sources is because I didn't check for blogs or white papers not indexed on Google Scholar. Although these might qualify for WP:SPS, I'm not sure that it would make sense to cite them.
 * You may be right about the weaknesses in the report's methodology, but it was widely and approvingly cited in the literature. I checked sources citing the RAND paper that are published in peer-reviewed medium. I did not find any caveats about methodology. In fact, one of these referred to the RAND study as "the most sophisticated analysis of vulnerability rediscovery to date."
 * Some sources I found didn't mention the vulnerability overlap, but those that did were:
 * How does the offense-defense balance scale? Ben Garfinkel and Allan Dafoe Taylor & Francis 2021
 * Of these, only the last mentions another study that found a different result. Still, it is reasonable to add it to the article.
 * My paid editing gig (which technically ended a month ago) is in addition to a normal full time job. Buidhe paid (talk) 05:30, 1 July 2024 (UTC)
 * Whereas the majority of us are entirely volunteers who contribute on our free time, without pay. FeRDNYC (talk) 23:20, 6 July 2024 (UTC)
 * My paid editing gig (which technically ended a month ago) is in addition to a normal full time job. Buidhe paid (talk) 05:30, 1 July 2024 (UTC)
 * Whereas the majority of us are entirely volunteers who contribute on our free time, without pay. FeRDNYC (talk) 23:20, 6 July 2024 (UTC)