In the debate about publishing n-day PoCs, I’m not reading anyone debating what the value of n should be for fully working PoCs. I’ve personally published vuln details when patch was released, techniques in abstract, but waited over a year for working exploits. Seemed best to me.
-
-
If I'm following your point, it's that anyone who wants capability can now use capital to acquire it, so release of N-day PoCs is immaterial to that? I don't think criminal groups could buy NSO's products and researchers wanting to make that kind of thing now go work for NSO/APT.
-
As important targets became harder, it's now a team-sized endeavor and solo basement hackers have trouble producing useful capabilities (this is a good trend overall). Financially motivated criminal groups seem to do more mass-fraud than targeted attacks w/ exploits from my feed.
- 12 more replies
New conversation -
-
-
Completely unrelated related: lots of 90s bugs are still around tho :D
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.