Friday, April 29, 2011

When to burn a Zero-Day?

So I've often heard people say "Why would you waste a Zero-day on <insert something>?". And on the opposite end of using your Zero-day, you have the hoarders who simply collect them to keep in their back pocket. So the question remains, when is the appropriate time to actually use a Zero-day for legitimate purposes?

The primary impetus for this discussion was someone smugly claiming they would never use a zero-day in a hacking competition or CTF event. So I can understand that stance, however if your trying to win something like P0wn20wn or some other serious hacking competition why wouldn't you? Is that truly a waste of a good Zero-day if it brings you respect in the industry and potentially more consulting work? I don't believe so, however financially given the cost of exploit development it may be wasteful. I think it really depends on the exploit. I've heard that security research companies often task teams of individuals for months to years just to develop a great reliable remote exploit on a popular platform or application. That isn't cheap in terms of billable hours by any means. Financially it may make sense to sell your exploit, however as a whitehat and someone who is a fan of responsible disclosure I can't agree with this line of thought. The other option may be to leverage that exploit in your pen testing engagements. So how would that benefit the customer? Yes it may give you credibility, but if they can't do anything about it patching wise, then nothing is gained. I don't buy into that approach unless you as a pen tester can recommend a solid mitigation plan for the vulnerability you've exploited.

To wrap things up, unless you are specifically tasked to research and deliver a working exploit to a customer for their use, I think it makes the most sense to just follow the responsible disclosure methods. To the contrary, if you are trying to build up your credibility and/or consulting business then it may also make sense to use them in an engagement or competition. I still do not believe the customer is looking to be exploited by a zero-day without any mitigation possibilities, unless you can show them that the exploit is already being traded in the underground. In that case, it is not really your private exploit but a legitimate attack they need to prepare for.

No comments:

Post a Comment