The Ethics of Posting Exploits on Public Forums

2 points by pyeri 6 hours ago

I was going through a very popular programming forum today where some author had posted this article titled:

> POC of <Vulnerability Description> CVE-XXXX-XXXX

I think this is ethically problematic because while it informs the users of this critical vulnerability in the software product and also advices them to update it, at the same time it also gives the attackers a readymade recipe to exploit this vulnerability. Now, an argument could be made that the attacker themselves may look up the openly published CVE and figure it out on their own, but that's quite different from handing them the master key like this.

In fact, looking at this from a slightly cynical perspective, the author of this piece could be seen as actually egging or inviting trouble to the said product from potential hackers?

cardz 39 minutes ago

I have seen many companies getting hacked through vulnerabilities that had recently released exploits, while I was working with an incident response team. I believe in most case the CVE was available for some time before the exploit code was made public but no one was aware of the CVE and its implications so they didn't apply the patches. I don't think the researcher is inviting trouble but once the exploit becomes public there is a greater chance of the vulnerability being actively exploited.

Shameless plug: I've been working on a project called https://hacktrack.info, that lets the user track the software they use and get an email alert when new CVEs are released for their stack.

sciarook 5 hours ago

I think you're misunderstanding how these things work. People who post POCs for vulnerabilities aren't trying to invite hackers or cause trouble. They're helping developers and security researchers understand exactly what the issue is and how to fix it. Without this information companies take way longer to patch the problem.

> at the same time it also gives the attackers a readymade recipe to exploit this vulnerability. Now, an argument could be made that the attacker themselves may look up the openly published CVE and figure it out on their own, but that's quite different from handing them the master key like this.

You answered yourself here :) Attackers who want to exploit vulnerabilities will figure it out on their own if they have to. Once a vulnerability is public, it's public. The bad guys already have their tools and methods to reverse-engineer the flaws.

> In fact, looking at this from a slightly cynical perspective, the author of this piece could be seen as actually egging or inviting trouble to the said product from potential hackers?

Hackers aren't waiting around for someone to give them an easy way in, they're already constantly looking for these kinds of flaws. The author of the POC is just putting this information out there to help everyone, especially the people who need to patch and secure their systems. I don't see how the benefits of hiding this info and keeping us in the dark outweigh the benefits of publishing it.

Placing blame on the authors of POCs is strange. A larger issue is companies that either make shit soft/hardware, or who don't patch their systems in good time after a vulnerability is discovered.