What if the vendor already knew? If Apple reveals 2 years from now that they had discovered it on their own 15 days before Google reported the exploit, does it become a 90 + 15 = 105 day, retroactively?
Yes, that would be 105 day. And it would show Apple in bad light, because they had 105 days to fix it and still did not do it, just like this vulnerability is 90-day.
0-day basically means the that the vendor learned about the vulnerability the same day everyone else did, it should not be used in situation when vendor was notified promptly, yet still ignored it and didn't fixed it. I don't understand so many people have problem with this.
Because it becomes a definition that's excruciatingly precise, but useless to almost everyone in the world.
I'm probably not the programmer responsible for fixing a bug in my OS; hardly any of us are. But we're all at the mercy of that bug being fixed. So aside from PR, there's literally no reason why I should care how long the vendor has known about it. I care how long everyone else has known about it prior to a fix being available.
If there's going to a be a widely-used term for one or the other, language is going to evolve such that the term covers the latter case because we have practically no reason to care about or refer to the former.
I would also argue that you should choose a word to describe such serious flaws in such a way that the "flaw" doesn't appear to go away if nothing changes except the passage of a very small amount of time. I don't want vendors saying, "we have no zero-day exploits" simply because they waited 10 hours to make the statement.
