The Ethics of Posting Exploits on Public Forums
I was going through a very popular programming forum today where some author had posted this article titled:
> POC of <Vulnerability Description> CVE-XXXX-XXXX
I think this is ethically problematic because while it informs the users of this critical vulnerability in the software product and also advices them to update it, at the same time it also gives the attackers a readymade recipe to exploit this vulnerability. Now, an argument could be made that the attacker themselves may look up the openly published CVE and figure it out on their own, but that's quite different from handing them the master key like this.
In fact, looking at this from a slightly cynical perspective, the author of this piece could be seen as actually egging or inviting trouble to the said product from potential hackers?
4 comments
[ 2.5 ms ] story [ 20.4 ms ] threadhttps://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
> at the same time it also gives the attackers a readymade recipe to exploit this vulnerability. Now, an argument could be made that the attacker themselves may look up the openly published CVE and figure it out on their own, but that's quite different from handing them the master key like this.
You answered yourself here :) Attackers who want to exploit vulnerabilities will figure it out on their own if they have to. Once a vulnerability is public, it's public. The bad guys already have their tools and methods to reverse-engineer the flaws.
> In fact, looking at this from a slightly cynical perspective, the author of this piece could be seen as actually egging or inviting trouble to the said product from potential hackers?
Hackers aren't waiting around for someone to give them an easy way in, they're already constantly looking for these kinds of flaws. The author of the POC is just putting this information out there to help everyone, especially the people who need to patch and secure their systems. I don't see how the benefits of hiding this info and keeping us in the dark outweigh the benefits of publishing it.
Placing blame on the authors of POCs is strange. A larger issue is companies that either make shit soft/hardware, or who don't patch their systems in good time after a vulnerability is discovered.
Shameless plug: I've been working on a project called https://hacktrack.info, that lets the user track the software they use and get an email alert when new CVEs are released for their stack.