Is it still a good idea to publish proof-of-concept code for zero-days?

More often than not, the publication of proof-of-concept (PoC) code for a security flaw, especially a zero-day, has led to the quick adoption of a vulnerability by threat actors who usually start attacks within hours or days, and don’t give end-users enough time to patch impacted systems.

There has been a debate about this issue, especially when the PoC code doesn’t come from bad guys or other independent sources, but from white-hat security researchers, who in theory, should be focused on protecting users.

The debate around this controversial practice has been going for years, with people in the information security (infosec) field taking both sides of the aisle.

One side argues that security researchers should never publish PoC code because attackers can take that code and automate attacks, while the other side argues that the PoC code is also needed to test large networks and identify vulnerable systems, hence, it should be included where available, as it allows IT departments to simulate future attacks.

Read more…
Source: ZDNet