The blog seems to indicate that the concept of a window of vulnerability is some type of fixed static property and criticizes those that use the concept as archaic and out of touch. Might a window of vulnerability be much more dynamic and subject to all of the types of variables that you have enumerated therein? Therefore we can't define it in terms of how many days a vulnerability is exploitable until a patch or mitigation is applied, but what the attack surface is around that vulnerability in the context of an exploitation campaign, target, or environment. A simple time-based metric cannot consider all of this context and if that's what you are saying then I understand. <div><br>On Thursday, February 11, 2016, Dave Aitel <<a href="mailto:dave.aitel@gmail.com">dave.aitel@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><a href="http://cybersecpolitics.blogspot.com/2016/02/0days.html" target="_blank">http://cybersecpolitics.blogspot.com/2016/02/0days.html</a><br><div><br></div><div>Today, on a day when we've discovered the existence of gravitational waves in the wild, I wanted to move our discussions of vulnerabilities and 0days towards the modern level that the offensive community has been using for over a decade. The above blog post is my attempt at a first baby-step.</div><div><br></div><div>-dave</div><div><br></div></div>
</blockquote></div>