In the debate about publishing n-day PoCs, I’m not reading anyone debating what the value of n should be for fully working PoCs. I’ve personally published vuln details when patch was released, techniques in abstract, but waited over a year for working exploits. Seemed best to me.
-
-
I don't know of a way that data could show either way, so it really comes down to differences in expert opinions and how different individuals want to spend their productive hours.
-
Doesn't the popularity of good quality tools with professionals count as data? If it was without value for defenders, we could show that easily. I can say that my work benefits greatly from access to open research, hard to believe you wouldn't agree with that!
- 1 more reply
New conversation -
-
-
Does it make sense to phase the disclosure in order for defensive tools to first have signatures/known behavioural patterns before disclosuing the PoC public for offensive tools?
-
No, I don't think so. I prefer the playing field to be leveled as early as possible, but this is too big a discussion for Twitter!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
