Vulnerabilities are weaknesses in a system or resource that can be exploited by an attacker. Vulnerabilities may be known, unknown, or newly discovered (zero-day).
Vulnerabilities vary and can run the gamut of defects in a system’s design, implementation, operation or internal control. Often, a vulnerability is not considered a security risk if the target asset is of no value.
The specific tool an attacker uses — software, data, or set of commands — is the exploit. Where an attacker’s tool meets the vulnerability is the attack surface. Known vulnerabilities are ones with at least one documented instance of a deployed, functioning exploit.
Stagefright and Heartbleed are two well-documented vulnerabilities. Stagefright is a collection of software bugs that affect versions the Android operating system v2.2 "Froyo". Stagefright allowed its creator to carry out random functions on the host device through remote code execution and privilege escalation. Heartbleed is a security bug in the OpenSSL cryptography library, a broadly deployed Transport Layer Security (TLS) implementation. Heartbleed enables more data to be read than what is allowed (buffer over-read).
Zero-Day is the date when a vulnerability is first discovered, hence zero-day exploits are vulnerabilities that target unknown or unaddressed software vulnerabilities.
"Zero-days are especially dangerous because they are neither known nor newly discovered vulnerabilities. The target typically learns about them from the damage a hacker brings, or at the very least you learn about it from some unflattering Twitter or Reddit thread."