Security News > 2021 > May > Is it OK to publish PoC exploits for vulnerabilities and patches?

Is it OK to publish PoC exploits for vulnerabilities and patches?
2021-05-05 05:30

In the wake of the Microsoft Exchange ProxyLogon zero-day and F5 BIG-IP security exploits earlier this year, many are questioning if and when should researchers publish proof of concepts for vulnerabilities and associated patches.

While publishing PoC exploits for patched vulnerabilities is common practice, this one came with an increased risk of threat actors using them to attack the thousands of servers not yet protected.

On the one hand, publishing PoC exploits helps researchers understand the attack so they can build better protections.

What was the risk to the global community when the PoC was published? A week after the patch was released and the PoC was published, perhaps half of vulnerable global servers still weren't protected.

Clearly the timing of the published PoC played a role in the global havoc.

Draw the line at publishing details about reverse engineered patches; creating, forking and improving fully functional exploit scripts; and handing over fully functioning PoC scripts to the world - including threat actors - before patches can be fully implemented.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/em0uepXrB6w/

Related news