NGS Researchers to Continue Sharing Code
After much debate, researchers at Next Generation Security say they will continue to release exploit code for vulnerabilities.The brief crisis of conscience that led researchers at Next Generation Security Software Ltd. to reconsider whether to release exploit code with their vulnerability reports has passed. David Litchfield, the companys co-founder, on Wednesday said he and his brother, Mark, will continue to publish sample exploits in an effort to give administrators and security specialists a level playing field in their battle against crackers. The decision was not one that they made lightly, Litchfield said, but it was made easier by the hundreds of e-mails they received encouraging them to keep publishing exploits. "There are people out there with a high level of intelligence developing, sharing and actively using exploits against [insecure] systems," he said in a lengthy e-mail explaining his thoughts on the subject. "Regardless of motive, there is much to be learnt from these people and their exploits. But if this was the only source of information for those working in the security industry, then the bad guys would always be one step ahead of the good guys; and if theyre one step ahead, we lose and so do the organizations were trying to protect."
Litchfield and NGS Software are well-known for finding vulnerabilities. The company often publishes so-called proof-of-concept code along with their advisories as a way for administrators to test their systems for the flaw.