In the debate about publishing n-day PoCs, I’m not reading anyone debating what the value of n should be for fully working PoCs. I’ve personally published vuln details when patch was released, techniques in abstract, but waited over a year for working exploits. Seemed best to me.
-
-
It could be semantics, but n-day still affects a ton of devices in the real world (e.g. Android binder exploit, which was fixed upstream). I only know what I read on twitter about NSO, but I'd assume that some n-day is used in their products (it makes sense to use what works).
-
It sure does, that's why tens of thousands of professionals use tools like metasploit to hugely benefit security. Is depriving them off tools to barely move the needle on opportunistic attacks a good trade? I don't think so

- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.