[otterley]

That's not what zero-day means. Zero-day means that every affected system is vulnerable the day the vulnerability is publicly disclosed. That was not the case here as the vulnerability was addressed nearly four months before today's announcement.

[aws-dev]

Fair enough. I went off the wikipedia definition ("vulnerability unknown to those who should be interested in its mitigation"), which doesn't mention it has to be known to the general public. We had to treat it as a zero-day when it was reported, because we had to assume there might be other parties who knew about it. (I work for CloudFormation)