Inside New York City’s Cyber Command. Despite debate in the threat intel community, a new study finds that publishing exploits before patches are available does more harm than good. (New York University)
A new study quantifying the benefits and dangers to security when exploits are published before patches found a lot of the latter and little of the former.
There is a counterintuitive debate over whether researchers or criminals releasing exploit code as soon as a vulnerability is discovered is actually beneficial. Advocates believe that posting exploits helps in penetration testing, provides an incentive to patch and generally makes a vulnerability seem more tangible. Detractors note that exploit code can be reappropriated by hackers, including those who otherwise may not have the ability to generate the code themselves.
Publishing exploit code does more harm than good, says report
Disclosing exploit code before patches are available gives malicious actors a ‘massive’ head-start, says Kenna Security
Share this item with your network: By Published: 13 May 2021 13:12
Cyber security researchers and ethical hackers may wish to consider easing off on publicly disclosing vulnerability exploit code before patches have been made available, because doing so gives malicious actors a “clear and unequivocal” advantage, according to new data crunched by vulnerability management specialist Kenna Security and Cyentia Institute.
In the research study,
Prioritisation to prediction, volume 7: establishing defender advantage, Kenna said that in about one-third of cases, it had found that ethical hackers – whom the industry relies on to some extent to identify new vulnerabilities and write proof-of-concept exploit code – made their code publicly available before the patch.