Vulnerability Discovery

Vulnerability Discovery refers to the process of searching for and finding previously unknown vulnerabilities in information processing systems.

Vulnerability discovery can take many forms, from specifically targeted software testing to simple use of a system by a security-aware individual who notices some feature that seems out of place. In order for that discovery to be relevant to our discussion, it must result in a vulnerability report. Most discussions about vulnerability disclosure are referring to the handling of reports of newly discovered vulnerabilities in products for which no patch exists

So you mean zero days?

Colloquially, yes. But for a more nuanced discussion regarding why we're eschewing the term zero-day vulnerability here, see our blog post Like Nailing Jelly to the Wall: Difficulties in Defining "Zero-Day Exploit"

Vulnerability Discovery vs. Vulnerability Scanning

Vulnerability Discovery is the process of finding new vulnerabilities in software or hardware. This is distinct from Vulnerability Scanning, which is the process of using automated tools to find known vulnerabilities in software or hardware. Vulnerability scanning is a useful tool for finding known vulnerabilities in a system as part of a vulnerability management program, but it is not a substitute for vulnerability discovery.