I think a better question is, once a vulnerability has become widespread public knowledge, do you expect malicious actors, malware authors and intelligence agencies of autocratic nation-states to obey a gentlemens' agreement not to exploit something? There is not a great deal of venn diagram overlap between "organizations that will pay $2 million for a zero day remote exploit on the latest version of iOS" and "people who care about whether Randy Bush recommends them for a job". On Sat, Jan 26, 2019 at 8:16 AM Randy Bush <randy@psg.com> wrote:
i just want to make sure that folk are really in agreement with what i think i have been hearing from a lot of strident voices here.
if you know of an out-of-spec vulnerability or bug in deployed router, switch, server, ... ops and researchers should exploit it as much as possible in order to encourage fixing of the hole.
given the number of bugs/vulns, are you comfortable that this is going to scale well? and this is prudent when our primary responsibility is a running internet?
just checkin'
randy
PS: if you think this, speak up so i can note to never hire or recommend you.
PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017 ^^^^^ :)