[viraptor]

Why do you think it matters if NSA stops hoarding 0-days? Let's put that into perspective - iPhone jailbreaking community hacks every new release in days/weeks. And that's just a few people doing it for fun and not getting paid. Companies like Cellebrite have more people paid good money to do the same thing, so they're likely to have an even bigger stash of working exploits. And that's for a locked down device which has all the incentives of being a closed platform.

There's nothing special about NSA or 0-days here. We're using very generic platforms. Lots of organisations have exploits. We're still in a situation where you can point a fuzzer for a few hours at any popular app and get yourself a new 0-day. The only thing that will help you is getting rid of the possibility of exploitation, and limiting the scope when it happens.

[electic]

It is special because it is government. We have tax payer money going to support thousands of people finding 0-days. What I am proposing is to move some of those funds to be defensive and since it is government, the intention and motivation is to make more secure software. It also forces companies and the industry in general to pay more attention to this stuff.

Right now, government doesn't care. Right now, it is cheaper to get hacked, spew all your information, and then say, "sorry". Not right.

[tptacek]

We probably do not support "thousands of people" finding zero-days. We might not even support 100 effective researchers.

[electic]

see budget report.

[tptacek]

Doesn't answer that question.