In the debate about publishing n-day PoCs, I’m not reading anyone debating what the value of n should be for fully working PoCs. I’ve personally published vuln details when patch was released, techniques in abstract, but waited over a year for working exploits. Seemed best to me.
-
-
I wouldn't say "essential non-existent" because some published exploits seem to enabling ransomware and cryptomining these days (I don't have hard numbers, just anecdotally). Published client-sides can also help NSO-like companies. To me, the only winning move was not to play :).
-
Perhaps we can agree not even 1% compared to malware. There for sure are drawbacks to open research we have to wrestle with, but the net result is undoubtedly positive. Similarly, there are drawbacks to easy availability of lots of things, pharmaceuticals, power tools, etc.
- 8 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.