Attempts to score vulnerabilities for severity are disconnected from the reality of exploiting them.pic.twitter.com/Km7mgW2Kuh
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Attempts to score vulnerabilities for severity are disconnected from the reality of exploiting them.pic.twitter.com/Km7mgW2Kuh
Defensive efforts to patch vulnerabilities have little effect on exploits. They usually die from unrelated code churn.pic.twitter.com/cVZRZwrVzQ
Many eyes (and open source) DO NOT make all bugs shallow. Linux among the highest life expectancy for exploits.pic.twitter.com/ILOUTqoPVi
AGAIN: efforts to patch or disclose your way to killing exploits don't work (*cough* Project Zero). Most die from code refactors.pic.twitter.com/tXF5rFI98J
If an exploit does get rediscovered, it gets rediscovered quickly... or not really at all.pic.twitter.com/nf7GfZ1dAP
Exploit buyers overwhelmingly purchase in response to direct, operational needs.pic.twitter.com/UNGL8wnC0K
Crowdsourcing vulns is insufficient. Strategic guidance on architecture, mitigations is essential for good defense.pic.twitter.com/MqEnhZdPw0
"Offensively focused researchers employ different methods of finding bugs than defensively focused ones." Hire a red team!pic.twitter.com/E4VkYMXEnf
Selecting the RIGHT vulnerability appears to be the most time consuming part of exploit development.pic.twitter.com/yZ63tjrCQ8
As an exploit developer, you're having a GREAT year if you ship 4 exploits.pic.twitter.com/iOKN5qpT53
Bounties have little overlap w exploit development. Not in skill required, techniques developed, or bugs discovered.https://twitter.com/withzombies/status/839870870545850368 …
Extraordinarily few people are capable of professional exploit development, an order of magnitude less than the number of bug bounty hunterspic.twitter.com/G1rD45w0xz
To those dismissing this RAND report: Ignore it at your own peril. This is the best data ever released on real exploit development, period.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.