undefined | Better HN

0 pointsfreeqaz3y ago0 comments

Nobody wants to hand a bunch of blackhats a working exploit without there being a patch available. But yeah, at some point you have to accept that the blackhats have it and it's "more ethical" to just start handing out the exploit POC so that companies can start testing their ability to detect + remediate the issue.

It's the whole "responsible disclosure" dance. Finding a 0-day is exciting as a researcher, but you have to keep your mouth shut while a fix gets built and tested. (Google's Project Zero gives a 90 day grace period, for example)

0 comments

EE84M3i3y ago

The post says "there is a public proof-of-concept available." If that's true, just link to it. The cat's already out of the bag.

freeqazOP3y ago

Thanks for pointing that out -- I didn't realize we missed adding the link! It's in a repo on GitHub, and we were banging on it to verify the exploit prerequisites.

I'll go do that as soon as I sit down again.

cyberpunk3y ago

I still can't find it.. Got the link to the repo?

1 more reply

hsbauauvhabzb3y ago

How is handing out a poc 0day ethical when it’s leaked but difficult to find? I’d rather see it censored until at least a patch drops + grace period.

I guess it’s a case by case basis, adding app-specific waf rules will be handy, but that only matters if exploitation patterns are unique per applications, otherwise generic rules could be published.

EdwardDiego3y ago

The whole basis of this claim was a commit in a merged PR yeah?

richbell3y ago

No. There was a credible report, but one of the blogs (Cyber Kendra) linked to a commit that mentioned RCE off hand and said "it looks like they're cleaning up".

https://spring.io/blog/2022/03/31/spring-framework-rce-early...

j / k navigate · click thread line to collapse