|
|
|
|
|
|
by lawnchair_larry
4832 days ago
|
|
|
> Just knowing there is a preauth RCE in the code base buys you very, very little. I disagree with that. That information is highly valuable. Auditing is a risky time investment; you may not find anything useful. Audit time is a finite resource and you want to allocate it where there are vulnerabilities that are useful. There is no way to know that ahead of time. > Security holes are numerous and the ones that have escaped detection generally continue to do so - the rate of co-discovery is very low in the field. The rate of co-discovery is fairly high once a second party has been tipped off to the general location and nature of a bug. Most competent auditors will spot the same bugs, especially if the second one already got confirmation that it does in fact exist. |
|
|