| I think you're misunderstanding how these things work. People who post POCs for vulnerabilities aren't trying to invite hackers or cause trouble. They're helping developers and security researchers understand exactly what the issue is and how to fix it. Without this information companies take way longer to patch the problem. > at the same time it also gives the attackers a readymade recipe to exploit this vulnerability. Now, an argument could be made that the attacker themselves may look up the openly published CVE and figure it out on their own, but that's quite different from handing them the master key like this. You answered yourself here :) Attackers who want to exploit vulnerabilities will figure it out on their own if they have to. Once a vulnerability is public, it's public. The bad guys already have their tools and methods to reverse-engineer the flaws. > In fact, looking at this from a slightly cynical perspective, the author of this piece could be seen as actually egging or inviting trouble to the said product from potential hackers? Hackers aren't waiting around for someone to give them an easy way in, they're already constantly looking for these kinds of flaws. The author of the POC is just putting this information out there to help everyone, especially the people who need to patch and secure their systems. I don't see how the benefits of hiding this info and keeping us in the dark outweigh the benefits of publishing it. Placing blame on the authors of POCs is strange. A larger issue is companies that either make shit soft/hardware, or who don't patch their systems in good time after a vulnerability is discovered. |