[FLUX-YOU]

The problem with that definition is that sometimes there is mitigation you can do before the vendor can get a patch out and that effectively counters the problem.

It also isn't reasonable when the vendor simply won't or can't patch it (because they've gone out of business). To have it be labeled a zero day forever because the vendor doesn't exist is silly.

I have followed "public knowledge" as the key factor because IT systems in production are complex and some companies actually do defense-in-depth and sometimes vendors are shit.

Using zero day excessively leads to alert fatigue IMO.