[ChrisCinelli]

> CVE-2019–11707 was simultaneously discovered by Samuel Groß of Google’s Project Zero and the attacker.

At least another time in the last week I read on other threads on HN or related links that vulnerability were found almost the same time by independent people.

Here we have a researcher from Google’s Project Zero and the attacker.

How do you explain these coincidences?

What is the chance that some prominent researchers being targeted and their systems are actually exploited?

[lvh]

This is not an uncommon phenomenon and not specific to vuln research. It happens all the time in mathematics, the sciences... [0]

Far more likely: there is a related cause that made two people think to try the same thing at approximately the same time. Someone publishes a new JIT type confusion bug, someone realizes "oh man it never occurred to me that X could trigger bug type Y", they start digging, and...

[0]: https://en.wikipedia.org/wiki/Multiple_discovery

[ChrisCinelli]

Thanks for the comment. I think where I read of the other synchronous discovery was hinting to what you wrote but I deliberately wanted to hear about the probability of researchers being compromised.

Maybe this is not the case but if somebody has powerful means, knowledge on how do successful targeted attacks, and access to the right 0 days, it would make sense that can use their resources to find other 0 days in this way.

[kccqzy]

The article clearly states that the attackers and the researchers use very different ways of triggering the vulnerability. It is a coincidence.

[WrtCdEvrydy]

The same chance of getting two movies with the same premise (Armageddon and Deep Impact, White House Down and Olympus Has Fallen)

[ChrisCinelli]

1) The cause in your example may be (a) something in the current events triggered ideas about those story lines.

At the same time it can be that (b) people in Hollywood talk with each others about stories they want to put on the screen.

Or it can be (c) that studio A has inside intelligence in studio B looking for interesting stories to be made in a movie.

2) It is similar to 2 startup companies starting tackling similar new problems. It may be because of (a) a new enabling technology came up or a change in the landscape that unlocks the new opportunity.

Or because (b) the loop: entrepreneurs talk to investors -> investors talk with each others -> repeat

Or because (c) entrepreneur A knows that entrepreneur B is up to something and find a way to spy on them to find what they are up to.

3) In the case discussed above, it may be (a) a new discovered bug on public forum leads to similar bugs being discovered, (b) researchers talking to each others in their circles, (c) a powerful entity getting access to the researcher's "secrets".

The difference between (a), (b) and (c) causes is that (a) causes happen in public places. (b) causes happen in private circles. (c) it is not a result of deliberate communication, it is stolen IP.

That is already a meaningful distinction. Now the questions is how often a, b, and c happen in the different context and how do they impact the outcome of the projects in the respective fields.

In all examples, timing is one of the keys to be successful.

The difference between (1), (2) and (3) is how legal or ethical the "exploiter" of the IP is abler to get the IP and their tolerance to risk.

It seems that in our case(3) (c) is more likable than in the other cases considering the actors involved and their modus operandi.

[auslander]

> Project Zero and the attacker. How do you explain these coincidences?

Project Zero buys 0days on darknet? Google has unlimited cash, so technically possible.