We clearly disagree on this
Providing POCs helps defenders more than attackers. Defenders often use POCs to build detections and develop new solutions to mitigate not just the big but also exploit techniques.
-
-
Replying to @Fox0x01 @maddiestone
Ok but even without public PoC code attackers can simply bindiff beta releases or take crash PoCs from public source code repos (see https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html …) and possibly develop an exploit before the patch even ships to users...
2 replies 0 retweets 17 likes -
Replying to @Fox0x01 @maddiestone
See other reply. Re. mitigations: that's also where releasing exploits helps as it shows where those mitigations fail and how they can be improved or new ones added
1 reply 0 retweets 7 likes -
The people who write the mitigations don't need public exploits to do that
1 reply 0 retweets 2 likes -
Hmmm I would argue that we would probably have a lot less exploit mitigations (or none at all?) today had no one ever published an exploit? But maybe I'm not getting your point...
2 replies 0 retweets 8 likes
It's an old debate that quickly degrades into people shouting "irresponsible" at you, just do whatever you think is right with your research.
-
-
Did you mean: Jehova
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.