[economyballoon]

what does "None of the tools contain zero-day exploits" exactly mean? Does the tools contain knows zero-days but not non public zero days?

[neodymiumphish]

It just means all the exploits are for vulnerabilities that have been published already.

[excalibur]

Doesn't being known preclude them from being zero days by definition?

[PeterisP]

In the 'zero-day' and related terminology the days start counting from the time when a fix is available. It refers to how much time a defender has had to fix their systems, a zero-day implying that even the most prudent defender could not have prevented the attack; and a day-1 (or day-x) attack implying that the defender might have closed the vulnerability if they had been sufficiently fast in monitoring for the existence of the problem and fixing their systems.

So there certainly could be zero-day exploits for vulnerabilities that are known but not yet fixable, perhaps because the vulnerability did not seem easily exploitable and thus not urgent to the vendor.

[pizzeys]

Or no exploits at all, ie. post exploitation frameworks, control channels etc. only.

EDIT: Nevermind they added something to the countermeasures repo that goes against that.

[opheliate]

I would have thought it would mean that any exploits which are used have widely available patches.