[hsbauauvhabzb]

What’s actually reasonable here. I’m all for exploit code becoming public eventually, but I think it’s silly to drop it immediately after a fix has been released, or before, in almost all scenarios (unless there’s been 90+ days or the issue marked as wontfix)

[sp332]

Odds are that well-resourced attackers already have the exploit by now. Making it public lets users decide if this is important to them and come up with their own mitigations.

[j_walter]

Once they issue the patch...it's only a matter of time till a good chunk of reasonably decent coders can develop the exploit. Once the premise is released...yeah the top exploit coders will have this in a few hours.

[hsbauauvhabzb]

So we lower the bar to all adversaries with no benefit?

If you can read exploit code to determine if patching is worth it for your use case, you can probably also read diffs for the same outcome.

I’m not saying don’t release them, but releasing them with short notice seems irresponsible, without much benefit to defenders.

[ikiris]

The link to the exploit accidentally went public. Anyone can have it.