"Publishing Exploits Early Doesn't Encourage Patching or Help Defense, Data Shows"

A new study conducted by Kenna Security and the Cyentia Institute explores whether exploit code releases before patch availability help or harm security defenders. Some believe that releasing exploit code as soon as a vulnerability is discovered helps in penetration testing, presents an incentive for patching, and makes the vulnerability seem more real. Others believe that the early publication of exploits allows hackers, including those who would otherwise be unable to generate the code themselves, to reappropriate the exploit code. Kenna Security and the Cyentia Institute analyzed 6 billion vulnerabilities impacting 12 million active assets across almost 500 organizations during the study. Three key hypotheses explored in the study are that publishing exploit code encourages fixes, published exploits improve defense, and releasing exploit code accelerates breaches. They found that publishing exploits had minimal impact on whether organizations applied fixes, and releasing exploits pre-patch left a larger window of time between publishing a vulnerability and creating defensive signatures. It was discovered that network defenders were nearly exactly as likely to mitigate a problem when an exploit had been published before the patch. Patches were found to be more common when the first exploit was released after the patch. According to the study, hackers are also more likely to target vulnerabilities when an exploit is released, as vulnerabilities with exploit code were exploited 15 times more than those without a published exploit. This article continues to discuss key findings from the study on whether publishing exploits before patches are available does more harm than good.

SC Media reports "Publishing Exploits Early Doesn't Encourage Patching or Help Defense, Data Shows"