#6 Why do you provide exploit code, isn’t that irresponsible?

Exploit code is provided because on the one hand some people do not believe that a vulnerability is exploitable (maybe because their attempts failed) and on the other hand the lack of exploit code that tests for a certain vulnerability is the major reason why PHP vulnerabilities are sometimes not correctly fixed or why the same bugs are later reintroduced.

That exploit code should certainly be provided to the PHP developers to prove to them the vulnerability exists and is exploitable. But POC code should not be distributed to the public until after the vendor has had a reasonable amount of time to address the vulnerability and has failed to do so and even then it should first be released to IPS/IDS and AV vendors before its released to the public.

I’m not as concerned as Arthur is about the vendor getting a heads-up on these as long as the disclosure is responsible (ergo no public POC code). But again, it looks like MOPB doesn’t adhere to that.

Its a shame…the idea is worth while but obviously not well executed in this case.

I didn’t follow the Month of Browser Bugs too terribly close but I got a sense that it was successful in that it drew a lot of attention to the problems in browsers, which of course is the main point of the whole MOXB idea and the whole reason I find them appealing.

There has to be a way to prod vendors into action without jeopardizing Joe User.

I had promised myself that I wasn’t going to post about any of the Month of Bugs projects and that everything that needed saying had been said by people far more eloquent than I. But then Michael over at MCW…