Assuming you have high bug overlap in a certain area (Windows Internet Explorer bugs, for example), what are the additional questions you want to ask to make policy around whether releasing vulnerabilities is of high enough value to consider?
- Does releasing this vulnerability give my adversaries a temporary but significant advantage? If I release a Windows vulnerability to Microsoft, does that information get handled in a secure way, or can it be exploited by a foreign service to attack American systems for the months before it gets turned into a patch and then deployed by American companies?
- Does releasing this vulnerability demonstrate a sensitive capability we need to keep secret, such as a new kind of bug-class analysis engine?
- Can your opponent recover their stock of vulnerabilities faster than you can get them patched such that releasing the vulnerabilities would not have any positive effect? I.E. Finding high overlap just means you've decided to RACE your opponent's bug finding team. And you might not win.
Feel free to send me more. :)
No comments:
Post a Comment