when is an exploit responsible?

I)ruid and HD Moore have released exploit code for the recent DNS vulnerability.

I see Andy ITGuy has posted about the release of this exploit code:

But I think that HD stepped over the line with releasing this exploit at this time. There is NO valid reason for it to be released… As security professionals we have to be responsible in how we practice our profession. If not then we are putting ourselves and our users at risk. We are even putting others at risk with our actions when we are irresponsible.

This caught me a bit by surprise, and since I respect Andy and know he’s a smart guy, I thought I would jump into the discussion. While I’m fully pasting my comment below, if anyone wants to react to it, I urge you to do so on Andy’s blog rather than here. 🙂

My response (with emphasis added):

With or without Druid’s exploit, our users were at risk. And rather than sit in the dark and not want exploit code, I certainly don’t mind having it around to learn from it. I’d even contend that we’re better off researching exploit code; write more, learn more, write better ones, learn yet more, and so on.

So, you would probably come back and say that HD Moore shouldn’t have released it “at this time.” But, what basis is there for when a time is appropriate to release exploit code? One year after the disclosure/patches? One month? After a committee of CISSPs gets together an votes on it? After 75% of servers are patched? Ever?

And how does exploit code differ from vulnerability details? Should we not disclose details that could lead to exploit code for 1 month, 1 year, or ever?

This set of questions simply cannot be answered, and never will. And since they can’t be answered, I’d have to err on the side of reality: Exploit code is exploit code, and when it is released it is released. And then move on. 🙂

Andy, I fear you are arguing the side that is actually indefensible. 🙂 Acting “responsibly” is far too relative to ever apply to such a set of people as security-aware geeks.

Here’s another way to tackle it. Should we manage our security posture based on whether exploit code is known or not? Yes, a vulnerability/patch does have a different value based on whether code is known or not, but when no known exploit code is in the wild, is it ok to put off the patching of your servers?

It might be argued that distributing details and exploit code will actually stimulate a more secure digital world. If your timeframe for patching DNS was a month after the patches because the vuln wasn’t known or the exploit created, but is now immediately because an exploit has been released…is that not a desirable state? Obviously the presence of code prompts action, and as such, this might be a benefit to us all…