On the “vulnerability” it could be considered a zero-day because there was a real exploit against it prior to the exploit being reported by security researchers. It could also be considered not a zero-day because the software vendor is aware of the vulnerability such that no other real exploit of it, regardless of it being patched, will occur on the same day that they learn of it.
It’s kinda moot that it’s been patched. Even if they somehow failed to patch it since the exploit, it is no longer a zero-day vulnerability. But, to your point, knowing that it has been patched is practically (obviously) the same as knowing that the software vendor is aware of the vulnerability.
(Funny enough, they could be aware of it and it still be a zero-day since the definition is how many days have past since the vendor learned of it prior to it being exploited. Though, it would need to be exploited after they learn about it but before they patch it, which is unlikely.)
Just for the sake of being more precise...
On the “vulnerability” it could be considered a zero-day because there was a real exploit against it prior to the exploit being reported by security researchers. It could also be considered not a zero-day because the software vendor is aware of the vulnerability such that no other real exploit of it, regardless of it being patched, will occur on the same day that they learn of it.
It’s kinda moot that it’s been patched. Even if they somehow failed to patch it since the exploit, it is no longer a zero-day vulnerability. But, to your point, knowing that it has been patched is practically (obviously) the same as knowing that the software vendor is aware of the vulnerability.
(Funny enough, they could be aware of it and it still be a zero-day since the definition is how many days have past since the vendor learned of it prior to it being exploited. Though, it would need to be exploited after they learn about it but before they patch it, which is unlikely.)