ZeroWatch
Zero-Day Intelligence — Open Source
ZeroWatch is an open inventory of confirmed zero-day vulnerabilities, developed as part of a PhD research project in cybersecurity. Its goal: make structured, publicly accessible data out of information that, today, exists nowhere in a consolidated and open form.
Research Context
This project is part of a PhD thesis on vulnerability management prioritization and optimization through graph and hypergraph learning. The initial research focuses on mapping and interpreting zero-day vulnerabilities: by modeling relationships between vulnerabilities, threat actors, products and exploitation events as heterogeneous knowledge graphs — and later as hypergraphs — the goal is to identify communities and recurring patterns in zero-day exploitation.
A fundamental prerequisite emerged early: having a reliable, structured inventory of zero-days to work with. Yet no official, comprehensive zero-day inventory exists today — neither at the national nor international level. Existing databases (NVD, CISA KEV, etc.) catalog known vulnerabilities without systematically distinguishing those exploited before a patch was available.
ZeroWatch was built to fill that gap. It is both a research tool and a community contribution, with the ambition of being released as open source and made freely available to the security community.
Definition — What is a Zero-Day?
A zero-day is a vulnerability exploited in the wild — meaning used in real attacks against real targets — before or simultaneously with the availability of an official vendor patch. This definition is strict: an old vulnerability exploited years after its publication and patch is not a zero-day. It is an N-day, an opportunistic attack vector targeting unpatched systems.
This distinction is central to ZeroWatch's classification methodology. Each CVE is evaluated against precise criteria: documented exploitation evidence, timing relative to patch availability, and source quality and consistency.
Methodology
Collectors continuously monitor major open-source threat intelligence feeds: security bulletins, alert feeds, exploited vulnerability catalogs, and researcher publications. Each signal is normalized, scored, and linked to the CVEs it references.
An AI agent analyzes each CVE and its associated sources, applying the strict zero-day definition. It produces a classification (confirmed / potential / rejected), a confidence score, and an analyst note summarizing its reasoning. Distinguishing zero-days from N-days is at the core of its decision process.
A human analyst reviews the AI classifications, confirming, correcting, or rejecting each CVE based on source articles, severity scores, and reference database information. The final inventory only presents zero-days validated with sufficient confidence.
Each confirmed zero-day is enriched with available official data: CVSS v4/v3 scores, exploitation probability (EPSS), affected products, CWEs, and known threat actor associations. The data is made searchable through this public catalog.
⚠ Current Limitations
ZeroWatch is an ongoing research project, not a commercial product. The inventory relies exclusively on open-source intelligence: it does not have the real-time detection capabilities of government agencies such as CISA or ANSSI.
False positives and false negatives are possible. Classification is continuously improved through community feedback and analyst review.
Data Sources
Open Source
ZeroWatch is intended to be released as open source, enabling the academic and security community to contribute to the inventory, propose corrections, and freely use the data for their own research.
The source code will be published once the project reaches sufficient maturity.
Contact
For questions, classification error reports, or academic collaboration, a GitHub issue tracker will be available upon repository publication.