What's a zero-day and should I worry about them?

The term 'zero-day' gets overused by marketing — most breaches are not zero-days. Here's the honest threat model for a vibe-coded app:

**What a zero-day really is.** A vulnerability in software that (1) the vendor hasn't yet released a patch for, AND (2) attackers are already exploiting. By definition it's rare — there's a limited number of 'undisclosed-and-exploited' bugs at any one time, and they're usually spent on high-value targets (enterprise, government).

**What almost certainly gets you breached first:** - A 6-month-old CVE in Next.js / your framework that you never updated - A leaked API key in an old Replit deployment you forgot about - A Supabase RLS policy that was always broken (not a CVE — a logic bug in your code) - A user with a weak password / reused password from a different breach - A phishing email that lands in your inbox as a support request - Your support staff being social-engineered to reset someone's password

**What to actually do:** 1. Keep dependencies current. `npm audit` + `pnpm up --latest` quarterly. Enable Dependabot auto-PRs. 2. Subscribe to security advisories for your framework (Next.js, Supabase, whatever you use). When a critical CVE drops, patch within 24 hours. 3. Watch Securie's CVE library and similar trackers — we specifically watch for ones that affect AI-built stacks. 4. Fix the unsexy bugs first: RLS, auth, key management. These are 95% of real-world breaches.

**When to actually worry about zero-days:** if you're a journalist, human-rights defender, political dissident, or target of state-level adversaries. For a startup selling SaaS, zero-days are rarely the thing that gets you.

Securie's free scan (launching this year) will cover the boring-but-deadly stuff. Join the list for a week-1 run. No scan covers actual zero-days (by definition), but keeping your patches fresh is where real risk reduction lives.

People also ask