Well, then the hole you get stuck in with that particular situation is systems going unpatched, b/c there is no exploit for the vulnerability.
A company I used to work for was that way. Regardless of what security strongly recommended, patches weren't being installed in a timely manner...largely b/c there were no reports of actual exploit code being released. However, a customer insisted that the patches be installed ASAP...the logic used by the sysadmins didn't jive. > Having proof of concept code is always valuable > (and the sooner the better), > but I question releasing exploits that execute code > on the target machine. Having a DoS PoC is enough... > The legitimate pentesters will be able to modify the > PoC to execute code on the target while, at the same > time, the "kiddies" will be stuck with something of > little or no use to them. This way everybody is > happy. > Some of you might say that some "kiddies" will be > able > to modify the DoS PoC to execute code for their > malicious > needs. Well, if this is the case, then we are no > longer > dealing with "kiddies"... If they can do this then > they > are capable of creating their own exploits... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
