This is an incredible resource for anyone looking into zeroday exploits and I'm happy to say that I helped with ithttp://www.rand.org/pubs/research_reports/RR1751.html …
-
-
If an exploit does get rediscovered, it gets rediscovered quickly... or not really at all.pic.twitter.com/nf7GfZ1dAP
-
Exploit buyers overwhelmingly purchase in response to direct, operational needs.pic.twitter.com/UNGL8wnC0K
-
Crowdsourcing vulns is insufficient. Strategic guidance on architecture, mitigations is essential for good defense.pic.twitter.com/MqEnhZdPw0
-
"Offensively focused researchers employ different methods of finding bugs than defensively focused ones." Hire a red team!pic.twitter.com/E4VkYMXEnf
-
Selecting the RIGHT vulnerability appears to be the most time consuming part of exploit development.pic.twitter.com/yZ63tjrCQ8
-
As an exploit developer, you're having a GREAT year if you ship 4 exploits.pic.twitter.com/iOKN5qpT53
-
-
Bounties have little overlap w exploit development. Not in skill required, techniques developed, or bugs discovered.https://twitter.com/withzombies/status/839870870545850368 …
-
Extraordinarily few people are capable of professional exploit development, an order of magnitude less than the number of bug bounty hunterspic.twitter.com/G1rD45w0xz
-
To those dismissing this RAND report: Ignore it at your own peril. This is the best data ever released on real exploit development, period.
- 7 more replies
New conversation -
-
-
Project Zero has contributed greatly to defensive code changes, for example hardening Flash
-
Think you're looking at this wrong way: Project Zero isn't just to find in-use vulnerabilities. It's to scuttle easy new exploits.
-
Alas, I know why you're... personally skeptical.
End of conversation
New conversation -
-
-
I see a second-order deterrence effect: "There's no way we're going to avoid Project Zero press unless we refactor this tangled mess."
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Any word on how long it takes to rebuild vuln stock after refactor? I.e. does refactoring improve code qual or just delay attacker?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
With sample n=200 and obvious glaring systematic biases* not sure how reliable that data is *(0day Rand know of)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
So could we (or somebody w power, like Google) automate this defense. Refactor automatically and often. And use variants of code.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Q: are they effective enough between refactors?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.