I think a better question is, once a vulnerability has become widespread public knowledge, do you expect malicious actors, malware authors and intelligence agencies of autocratic nation-states to obey a gentlemens' agreement not to exploit something?
There is not a great deal of venn diagram overlap between "organizations that will pay $2 million for a zero day remote exploit on the latest version of iOS" and "people who care about whether Randy Bush recommends them for a job". On Sat, Jan 26, 2019 at 8:16 AM Randy Bush <ra...@psg.com> wrote: > i just want to make sure that folk are really in agreement with what i > think i have been hearing from a lot of strident voices here. > > if you know of an out-of-spec vulnerability or bug in deployed router, > switch, server, ... ops and researchers should exploit it as much as > possible in order to encourage fixing of the hole. > > given the number of bugs/vulns, are you comfortable that this is going > to scale well? and this is prudent when our primary responsibility is a > running internet? > > just checkin' > > randy > > > PS: if you think this, speak up so i can note to never hire or recommend > you. > > PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy > Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017 > ^^^^^ :) >
