Hacker News new | ask | show | jobs
by ajross 1903 days ago
I don't think that's fair. The Pwn2Own contest rules specifically disallow disclosure. This isn't a "zero day" in any sense but marketing. It's a privately disclosed vulnerability under a managed embargo, just as if it had been reported by Project Zero or whoever.

The ding is that, because it was a "public contest", the existence of the vulnerability is known. And that's probably a higher risk scenario in the abstract I guess. But I think it's clear to all that Pwn2Own and similar activities are a net benefit to global software security nonetheless.
4 comments
jms703 1903 days ago
This. The article should have been less about 0days and more about supporting contests and programs that vulnerability researchers.
link
coverband 1902 days ago
It’s actually worded in quite that way (even though it’ll be picked up by larger media differently).
link
whatgoodisaroad 1903 days ago
Maybe the zero-day isn't disclosed from this pwn2own itself, but importantly, we now know it exists, which means we should consider how many bad actors are already independently aware of it and are exploiting it.

Responsibe disclosure processes are just as much about closing the vectors that we can't prove are under active exploit.

link
temp667 1903 days ago
the Pwn2Own exploits have generally not already been out there. There have been a long history of these, including some incredible chrome exploits! So the disclosure process tends to work out OK.
link
whatgoodisaroad 1903 days ago
I think that's right that pwn2own exploits are generally new to the public, but that only means it's not provably out there.

Just to be clear, I think programs like this are great and they do improve safety, but only because they result in patches. This news shouldn't make users feel safe until there is a patch.

link
saagarjha 1902 days ago
A fair number of submissions only received partial points because the vendor claimed they were aware of the bug already.
link
dmix 1903 days ago
Agreed, just because it exists doesn’t mean it was being exploited.

And these help patch not just the specific hole but the general approach of the exploit chain may expose a whole area the development team had not previously considered.

link
teawrecks 1903 days ago
I'm not seeing how your point relates to bezoz's point...
link
grayhatter 1903 days ago
finally, someone who uses 0day more correct than nearly every else. My remaining sanity thanks you!
link