What does it mean to "burn a zero-day"?

I was the one who wrote the comment you quoted.

Quick answer: A 0day is burned when the exploit is used too often or haphazardly, resulting in it being discovered and patched. Virtually every time a 0day is used, it risks being burned. Using a 0day more sparingly and cautiously can increase its shelf life. The idiom intends to compare a 0day to a non-renewable resource like combustible fuel that loses its value when used up.

This likely originates from the idiom burn your bridges:

To destroy one's path, connections, reputation, opportunities, etc., particularly intentionally.

---

What is a 0day?

A 0day is an exploitable vulnerability that is not publicly known. When a 0day is discovered, it can be turned into a working, "weaponized" exploit. Like all vulnerabilities, if it is discovered in public, it will usually be patched and fixed, making it so the exploit no longer works. Every time you use an exploit, you necessarily transmit valuable information to a system that you do not control (yet). If the system is being extensively monitored, the exploit technique may be discovered and with it, the necessarily knowledge to fix the vulnerability and roll out patches to all affected systems.

What does it mean to "burn" one?

I was the one who wrote the comment you are referencing. To "burn" a 0day is slang for using it either too often or using it in a high-risk situation where it is likely that it will be discovered because of its use. Like combustible fuel, once used up or "burned", a 0day will no longer hold the same value (both in monetary terms^* and tactical terms). It stops being a 0day once it is no longer in private hands.

Friends may let you "borrow" a 0day to use yourself, under the condition that you do not burn it. This means they are telling you that you can use it, but they are trusting you to be very careful not to use it in a way that makes it likely that it will be found and fixed, depriving access to it.

Someone might decide to disclose the 0day suddenly in public. Especially when it's not done using coordinated disclosure, it's often called dropping a 0day, which will also burn the 0day. This is a bit uncommon but not unheard of. A few years ago on IRC, a guy joined and informed us of a remote code execution vulnerability in TeamViewer that involved sending malicious WinHelp files (which contain Visual Basic code) or something along those lines. Since the first place he disclosed that was in the middle of a general security-related IRC, he was burning a 0day by dropping it.

_{* 0days usually have literal monetary value. A 0day can range from a thousand dollars to upwards of a million, depending on a variety of factors such as exclusivity, applicability, reliability, specificity, conditional nature, etc.}

How much are 0days worth?

Exploit brokers often buy or sell bugs with promises of exclusivity. For example, you can sell a bug under the condition that it is sold for the highest price to only one person, not to multiple people. That reduces the chance that it will be discovered, but it means you only get paid once. Alternatively, you could sell an exploit to as many people who want to buy it. You would have to sell it for a lower price because it will be burned very quickly, making its shelf life rather short. Obviously, when a 0day is burned, it is no longer nearly as useful since it will only work on outdated systems. The actual value depends on quite a few factors. They are worth more if they:

• Work on a variety of systems.

• Do not depend on a specific configuration.

• Are reliable and work every time.

• Are silent and do not leave traces in the logs.

• Are sold to only one or a limited number of buyers.

Many contractors that deal in exploits will pay you the complete price in small sums over a period of time. If the 0day is discovered before you are paid in full, they will stop the payments. This behaves as disincentive to selling it to multiple contractors or using it frequently yourself. It essentially forces you to guarantee to them that it will remain a 0day, or you simply will not be paid in full.

Additionally, 0days are bought for more by government contractors than by random exploit brokers. You might be able to sell a complete Chrome exploit chain complete with sandbox bypass and local privilege escalation (LPE) for hundreds of thousands of dollars to Raytheon SI. The same exploit would net only a fraction of that price if you sell it to J. Random Broker on IRC. The reason is simply that corrupt governments want to be non-competitive and have ample money from tax payers to obtain exclusive vulnerabilities so they can drone strike journalists protect their nation.

How do 0days get burned?

There are many activities that can risk burning a 0day. A few examples:

• Using an exploit that is unreliable and may create a coredump.

• Using an exploit that is conditional and only works for some configurations.

• Using an exploit that results in an event being logged.

• Using an exploit against a sophisticated and paranoid target.

• Simply using an exploit too often, increasing its exposure.

• Giving it to or trading it with a friend who is not responsible with it.

_{I do not condone selling 0days to governments or government contractors.}

A zero-day is a vulnerability that is unknown by the software manufacturer and for which no patch exists.

When using a zero-day vulnerability against a remote server, it may give away how it works. The administrators of the application may notice they have been hacked, look in the logs and discover the vulnerability that was used to hack them. If they then fix the vulnerability, the vulnerability is no longer a zero-day vulnerability and knowledge about it is useless.

For example, this Flash zero-day was actively being exploited and that was how Adobe learned about the vulnerability.

In some cases, using a zero-day does not expose the vulnerability. For example, zero-days to root a mobile OS may be used without the software manufacturer learning about the vulnerability.

Security researches find exploits. The day they report it is day Zero because developers will start work on patching it.

Good Security researchers (as in white hat) will publish the zero day to the developers before they publish it to the rest of the community. In many cases they only publish it to the community because the people in charge of the code have otherwise ignored them.

Bad Security researchers (as in black hat) will archive this exploit for a rainy day. Burning a zero day ... is tapping the rainy day archive. This is usually only done for high value targets.

Regardless of Disclosed or Used the exploits time is finite from the moment the developers in charge of the code realize what is going on. So, in a sense the exploit is used up, or burnt.