Security News > 2022 > January > The Log4j debacle showed again that public disclosure of 0-days only helps attackers
On December 9, 2021, a tweet linking to a 0-day proof of concept exploit for the Log4Shell vulnerability on GitHub set the internet on fire and sent companies scrambling to mitigate, patch and then patch again as additional PoCs appeared.
Public vulnerability disclosure - i.e., the act of revealing to the world the existence of a bug in a piece of software, a library, extension, etc.
Some companies have an officially sanctioned and widely publicized vulnerability disclosure program, others organize and run it through crowdsourced platforms.
There may be legitimate and understandable reasons for releasing a 0-day PoC. The most common of those is the breaking down of the vulnerability disclosure process: the vendor may not be or may stop being responsive, may consider the vulnerability as not serious enough to warrant a fix, may be taking too long to fix it - or any combination of the above.
Several years ago, a presentation at Black Hat walked through the lifecycle of zero-days and how they were released and exploited, and showed that if PoC exploits are not disclosed publicly, the vulnerabilities in question are generally not discovered for an average of 7 years by anyone else.
The criticism of researchers who decide to jump the gun is deserved but, collectively, we need to focus on setting up more robust disclosure processes for everyone so that the public PoC scenario is not repeated the next time a vulnerability like Log4Shell is discovered.